{"id":24392,"date":"2022-06-23T06:36:19","date_gmt":"2022-06-23T10:36:19","guid":{"rendered":"https:\/\/www.technewsday.com\/?p=24392"},"modified":"2022-06-23T06:36:19","modified_gmt":"2022-06-23T10:36:19","slug":"poor-security-culture-blamed-for-56-ot-device-flaws","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/poor-security-culture-blamed-for-56-ot-device-flaws\/","title":{"rendered":"Poor Security Culture Blamed For 56 OT Device Flaws"},"content":{"rendered":"<p data-ar-index=\"0\"><span style=\"font-weight: 400;\">Researchers detected 56 vulnerabilities impacting devices from 10 operational technology (OT) vendors, most of which are attributed to inherent design flaws in equipment and a lackluster approach to security and risk management.<\/span><\/p>\n<p data-ar-index=\"2\"><span style=\"font-weight: 400;\">According to the research from Forescout\u2019s Vedere Labshe, vulnerabilities\u2013detected in devices by familiar vendors such as Honeywell, Emerson, Motorola, Siemens, JTEKT, Bentley Nevada, Phoenix Contact, Omron, Yogogawa and an unnamed manufacturer\u2013differ in their characteristics and what they threat actors are able to do.<\/span><\/p>\n<p data-ar-index=\"4\"><span style=\"font-weight: 400;\">Researchers categorized the flaw in each of the products into four categories: insecure engineering protocols; weak cryptography or broken authentication schemes; insecure firmware updates; or remote code execution via native functionality.<\/span><\/p>\n<p data-ar-index=\"6\"><span style=\"font-weight: 400;\">According to researchers, threat actors are able to perform the following in exploiting the flaws on a device: remote code execution (RCE), with code executed in different specialized processors and different contexts within a processor; denial of service (DoS) that can completely shut down a device or block access to a specific function; file\/firmware\/configuration manipulation that enables a threat actor to modify important aspects of a device; credential compromise enabling access to device functions; or authentication bypass that enables a threat actor to modify the desired functionality on the target device.<\/span><\/p>\n<p data-ar-index=\"8\"><span style=\"font-weight: 400;\">According to researchers, these flaws could have been avoided, as 74 per cent of the product families impacted by the vulnerabilities possess security certification and were verified before being sent to market.\u00a0<\/span><\/p>\n<p data-ar-index=\"10\"><span style=\"font-weight: 400;\">Security professionals lamented the lax security strategy of vendors in a field that produces the systems running critical infrastructure, attacks on which can be devastating not just for the networks on which the products exist but for society as a whole.<\/span><\/p>\n<p data-ar-index=\"12\"><span style=\"font-weight: 400;\">The researchers also focused on the reasons for the innate problems pertaining to security design and risk management in OT devices that manufacturers are urged to address in a swift fashion.<\/span><\/p>\n<p data-ar-index=\"14\"><span style=\"font-weight: 400;\">One issue mentioned by the researchers is the lack of uniformity in t functionality across devices. This means that their lack of security also sharply differs and makes troubleshooting very difficult.<\/span><\/p>\n<p data-ar-index=\"16\"><span style=\"font-weight: 400;\">In other instances, the inherent security of the device cannot be directly faulted on the manufacturer but that of \u201cinsecure-by-design\u201d components in the supply chain. Researchers reveal that his further complicates how manufacturers manage risk.<\/span><\/p>\n<p data-ar-index=\"18\"><span style=\"font-weight: 400;\">\u201cIndeed, managing risk management in OT and IT devices and systems alike requires \u201ca common language of risk,\u201d something that\u2019s difficult to achieve with so many inconsistencies across vendors and their security and production strategies in an industry,\u201d noted Nick Sanna, CEO of RiskLens.<\/span><\/p>\n<p data-ar-index=\"20\"><span style=\"font-weight: 400;\">To tackle this, he urged vendors to quantify risk in financial terms, which allow risk managers and plant operators to focus decision-making on \u201cresponding to vulnerabilities \u2013 patching, adding controls, increasing insurance \u2014 all based on a clear understanding of loss exposure for both IT and operational assets.\u201d<\/span><\/p>\n<p data-ar-index=\"22\"><span style=\"font-weight: 400;\">However, even if vendors start to tackle the basic challenges that have created the OT:ICEFALL scenario, they face an uphill climb to mitigate the security problem completely, Forescout researchers said.<\/span><\/p>\n<p data-ar-index=\"22\">\n<p data-ar-index=\"22\">For more information, read the <a href=\"https:\/\/threatpost.com\/discovery-of-56-ot-device-flaws-blamed-on-lackluster-security-culture\/180035\/\" target=\"_blank\" rel=\"noopener\">original story<\/a> in Threatpost.com.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researchers detected 56 vulnerabilities impacting devices from 10 operational technology (OT) vendors, most of which are attributed to inherent design flaws in equipment and a lackluster approach to security and risk management. According to the research from Forescout\u2019s Vedere Labshe, vulnerabilities\u2013detected in devices by familiar vendors such as Honeywell, Emerson, Motorola, Siemens, JTEKT, Bentley Nevada, [&hellip;]<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[381,361,16],"tags":[],"class_list":["post-24392","post","type-post","status-publish","format-standard","hentry","category-operations","category-privacy","category-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/24392","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=24392"}],"version-history":[{"count":1,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/24392\/revisions"}],"predecessor-version":[{"id":24393,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/24392\/revisions\/24393"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=24392"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=24392"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=24392"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}