Presence of OT:ICEFALL vulnerabilities in Phoenix Contact, JTEKT, Siemens hardware, CISA reveals

Following the reveal by Forescout’s Vedere Labs of the presence of 56 vulnerabilities caused by insecure-by-design practices affecting devices from ten OT (operational technology) vendors, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) provided specific details, mitigations, and recommendations that cover the OT:ICEFALL vulnerabilities found in certain Phoenix Contact, JTEKT, and Siemens hardware deployed across the critical infrastructure sector. 

The Forescout research revealed that the ‘insecure by design’ problems had been found across ten manufacturers, including Baker Hughes (Bentley Nevada), Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.

CISA warned on Tuesday of the presence of a vulnerability in Phoenix Contact’s ProConOS/ProConOS eCLR and MULTIPROG equipment used across multiple critical infrastructure sectors. Exploiting the ‘insufficient verification of data authenticity’ vulnerability could allow an attacker to upload arbitrary malicious code after gaining access to the communication to products utilizing ProConOS/ProConOS eCLR or MULTIPROG.

The affected versions of ProConOS, a software development kit, include all versions of ProConOS, ProConOS eCLR, and MULTIPROG, CISA said. Daniel dos Santos and Jos Wetzels of Forescout Technologies reported this vulnerability to CISA.

According to the CISA advisory, Phoenix Contact has provided several mitigations and workarounds. For instance, industrial controllers based on ProConOS/ProConOS eCLR are typically developed and designed for use in closed industrial networks using a defense-in-depth approach and focusing on network segmentation. “In such an approach, the production plant is protected against attacks (especially from the outside) by a multi-level perimeter, including firewalls, as well as dividing the plant into OT zones. This concept is supported by organizational measures in the production plant as part of a security management system. To accomplish such security, measures are required at all levels,” the advisory said.

Manufacturers using ProConOS/ProConOS eCLR in automation devices are advised to check implementation and publish an advisory according to their product, the CISA advisory said. Additionally, users of automation devices utilizing ProConOS/ProConOS eCLR in their automation systems may check if their application requires additional security measures, such as adequate defense-in-depth networking architecture, use of virtual private networks (VPNs) for remote access, or use of firewalls for network segmentation or controller isolation. Users should also check manufacturer security advisories for adequate information according to their dedicated device, it added.

Phoenix Contact advised users to ensure logic is transferred or stored in protected environments. This is valid for data in transmission and data in rest. In addition, users should ensure connections between the engineering tools and the controller are located in a local protected environment and protected by a VPN for remote access. It also advised against sending project data via email or other transfer mechanisms without additional integrity and authenticity checks and called for saving project data in protected environments.

Another CISA advisory cautioned of ‘missing authentication for critical function’ vulnerability across Phoenix Contact equipment, including ILC 131 ETH, ILC 131 ETH/XC, ILC 151 ETH, ILC 151 ETH/XC, ILC 171 ETH 2TX, ILC 191 ETH 2TX, ILC 191 ME/AN, and AXC 1050. Breach of the vulnerability could allow an unauthorized attacker to change configurations, manipulate services, or cause a denial-of-service condition. 

The advisory disclosed that Sergiu Sechel reported this vulnerability to Phoenix Contact, while Forescout’s dos Santos and Wetzels reported this vulnerability to CISA.

Phoenix Contact said that its classic line controllers are designed and developed for use in closed industrial networks, the CISA advisory said. The control and configuration protocols do not feature authentication mechanisms by design. Phoenix Contact recommends using the devices exclusively in closed networks, protected by a suitable firewall. Suppose the use of an affected controller in protected zones is not appropriate then, in that instance, OT communication protocols should be disabled either by using the CPU services through a console or web-based management according to the controller type.

Information for which controllers and from which firmware version communication protocols can be disabled are described in Phoenix Contact’s application note for classic line controllers, or the manual to the respective controller, which is available for download at the Phoenix Contact website, the advisory added.

In another advisory, CISA notified of the presence of ‘use of client-side authentication’ vulnerability in Siemens’ SIMATIC WinCC OA equipment, used across multiple critical infrastructure sectors. Exploiting this vulnerability could allow an attacker to impersonate other users or exploit the client-server protocol without being authenticated. 

Siemens recommends enabling server-side authentication (SSA) or Kerberos authentication for the WinCC OA project. “As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. Furthermore, to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens operational guidelines for industrial security and following recommendations in the product manuals,” the CISA advisory added.

CISA also disclosed the presence of ‘missing authentication for critical function’ in JTEKT TOYOPUC products, typically deployed across the critical manufacturing sector. Exploiting this vulnerability could cause a denial-of-service condition, change control logic, or disable communication links. Forescout executives dos Santos and Wetzels reported this vulnerability to CISA.

As workarounds, JTEKT said that when remote access is required, use secure methods, such as VPNs. Recognizing that VPNs may have vulnerabilities, they should be updated to the most current version available and can be only as secure as their connected devices. 

Additionally, users can locate control system networks and remote devices behind firewalls and isolate them from the business network, minimize network exposure for all control system devices and/or systems, and use IP filter functions to allow only specific personal computers/devices to connect, and ensure they are not accessible from the Internet. To prevent unauthorized devices from being connected to the free ports of the HUB, use a LAN port lock to close the free ports, the CISA advisory added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.