OT:ICEFALL - Revisiting a decade of OT insecure-by-design practices

More than a decade ago, Project Basecamp highlighted how many OT devices and protocols deployed in a wide variety of industries and critical infrastructure applications were insecure-by-design. Ever since, it’s been common knowledge that one of the biggest issues facing OT security is not so much the presence of unintentional vulnerabilities but the persistent absence of basic security controls. While the past decade has seen the advent of standards-driven hardening efforts at the component and system level it has also seen impactful real-world OT incidents like Industroyer and TRITON abusing insecure-by-design functionality, which has left many defenders wondering just how much has changed.

In this talk, we will present dozens of previously undisclosed issues in products from almost 20 vendors deployed in industry verticals ranging from oil & gas, chemical and power generation to water management, mining and manufacturing. We will provide a quantitative overview of these issues, which range from persistent insecure-by-design practices in security-certified products to failed attempts to move away from them, in order to illustrate how the opaque and proprietary nature of these systems, the suboptimal vulnerability management surrounding them and the often false sense of security offered by certifications significantly complicate OT risk management efforts.

In addition, we will take a technical deep-dive into several of the issues to demonstrate the ability of attackers to achieve remote code execution on critical Level 1 devices using nothing but intended functionality and discuss its defensive implications. Finally, we will present quantitative insights into our research process in order to provide the audience with some hard numbers on the resources required to develop basic offensive capabilities for the issues discussed and its potential implications for the relevant threat landscape.

More than a decade ago, Project Basecamp highlighted how many OT devices and protocols deployed in a wide variety of industries and critical infrastructure applications were insecure-by-design. Ever since, it’s been common knowledge that one of the biggest issues facing OT security is not so much the presence of unintentional vulnerabilities but the persistent absence of basic security controls. While the past decade has seen the advent of standards-driven hardening efforts at the component and system level it has also seen impactful real-world OT incidents like Industroyer and TRITON abusing insecure-by-design functionality, which has left many defenders wondering just how much has changed.

In this talk, we will present dozens of previously undisclosed issues in products from almost 20 vendors deployed in industry verticals ranging from oil & gas, chemical and power generation to water management, mining and manufacturing. We will provide a quantitative overview of these issues, which range from persistent insecure-by-design practices in security-certified products to failed attempts to move away from them, in order to illustrate how the opaque and proprietary nature of these systems, the suboptimal vulnerability management surrounding them and the often false sense of security offered by certifications significantly complicate OT risk management efforts.

In addition, we will take a technical deep-dive into several of the issues to demonstrate the ability of attackers to achieve remote code execution on critical Level 1 devices using nothing but intended functionality and discuss its defensive implications. Finally, we will present quantitative insights into our research process in order to provide the audience with some hard numbers on the resources required to develop basic offensive capabilities for the issues discussed and its potential implications for the relevant threat landscape.