Researchers from Forescout’s Vedere Labs found 56 vulnerabilities across big names like Honeywell and Motorola raising design-level security concerns.

Vedere Labs researchers say the vulnerabilities, which they call OT: Icefall, are the result of insecure design processes. Daniel dos Santos, head of security research at Forescout, said the OT space often assumes whoever is interactive with a device is trusted, and not a potential adversary. 

“This is reflected in the fact that protocols lack authentication and encryption, or devices have hardcoded credentials or don’t verify the authenticity and integrity of firmware updates,” dos Santos said via email. 

The disclosures come at a sensitive time for critical infrastructure providers. State-linked threat actors and sophisticated ransomware groups have targeted major industrial sites in recent years, including Colonial Pipeline and meat supplier JBS USA. 

Just two months ago, researchers revealed a sophisticated, custom-made malware , called Incontroller or Pipedream, designed to destabilize industrial sites or undermine safety systems, which could result in the injury or potential death of anyone working at such a site. 

Katell Thielemann, VP analyst at Gartner, said the volume of OT vulnerabilities will only increase in the future, because more researchers are looking into this previously ignored part of the technology stack.

This will place a heavier burden on original equipment manufacturers to test in tightly controlled environments and on end users to determine whether patching, isolation or upgrades make the most sense. 

Erik Nost, senior analyst at Forrester, said the report highlights challenges facing the software development lifecycle. 

“ Integrating security into the entire process, from design to testing to deployment, often competes against other priorities and deadlines,” Nost said via email. “It takes commitment at an organizational level which seems to be coming to fruition for a lot of organizations these days, after years of trials and missteps.”

The vulnerabilities Vedere Labs researchers discovered are not very difficult to reverse-engineer and could be exploited within a manner of days, according to researchers. 

The manufacturers have been notified and the Cybersecurity and Infrastructure Security Agency (CISA) is working to coordinate the disclosure process, according to dos Santos. In some cases other national agencies have been brought into the process, including in Japan, as some of the manufacturers are based overseas. 

CISA is expected to issue an advisory on the vulnerabilities, according to Vedere Labs, but agency officials have not yet returned a request for comment. 

Get the free daily newsletter read by industry experts

Addressing the causes of burnout requires a top-down approach that better aligns security teams with the rest of the business.

An IDG survey found security improvements are driving IT budget increases. 

Subscribe to Cybersecurity Dive for top news, trends & analysis

Get the free daily newsletter read by industry experts

Addressing the causes of burnout requires a top-down approach that better aligns security teams with the rest of the business.

An IDG survey found security improvements are driving IT budget increases. 

The free newsletter covering the top industry headlines