The operational technology (OT) world suffered a rude awakening when Forescout researchers disclosed more than 50 vulnerabilities, affecting 26 different device models, from 10 different OT manufacturers, dubbed “OT:Icefall”, on June 21, 2022. These vulnerabilities sent shockwaves through the industry, in part due to their expansiveness, but mainly because of the types of devices they impact.
According to Forescout’s report, these are the devices affected by OT:Icefall:
| Manufacturer | Model | Device type |
|---|---|---|
| Bently Nevada | 3700, TDI equipment | Condition monitors |
| Emerson | DeltaV | Distributed control system |
| Emerson | Ovation | Distributed control system |
| Emerson | OpenBSI | Engineering Workstation |
| Emerson | ControlWave, BB 33xx, ROC | Remote terminal unit |
| Emerson | Fanuc, PACsystems | Programmable logic controller |
| Honeywell | Trend IQ* | Building controller |
| Honeywell | Safety Manager FSC | Safety instrumented system |
| Honeywell | Experion LX | Distributed control system |
| Honeywell | ControlEdge | Remote terminal unit |
| Honeywell | Saia Burgess PCD | Programmable logic controller |
| JTEKT | Toyopuc | Programmable logic controller |
| Motorola | MOSCAD, ACE IP gateway | Remote terminal unit |
| Motorola | MDLC | Protocol |
| Motorola | ACE1000 | Remote terminal unit |
| Motorola | MOSCAD Toolbox STS | Engineering workstation |
| Omron | SYSMAC Cx series, Nx series | Programmable logic controller |
| Phoenix Contact | ProConOS | Logic runtime |
| Siemens | WinCC OA | Supervisory control and data acquisition (SCADA) |
| Yokogawa | STARDOM | Programmable logic controller |
Why OT is so Different from IT
OT devices are deployed in much of our critical infrastructure – everything from refineries to nuclear plants. Because of their criticality and spartan processing/memory resources, patching or updating these devices is extremely difficult, if not impossible.
From a device manufacturer perspective, developing a patch is a time consuming, expensive process that doesn’t always work. It can end up costing in excess of a few million dollars per patch, when all the resources, testing and updating required for all deployed devices are considered. This process is further complicated, and potentially delayed or rendered unfeasible by any downstream vendors that may be involved. Often third party source code, which is typically needed to engineer a patch, is unavailable. (According to Forescout’s report, there are downstream vendors to consider with the IceFall vulnerabilities).
Even if a patch can be issued, many of these OT and IoT devices can’t be reached or taken offline at all to apply it. (Not to mention the downtime resulting from testing required to make sure the patching process itself didn’t break or introduce any issues). Typically, patching these embedded devices often means flashing a new firmware. This is a process that makes even the most experienced device operators very nervous. Why? Because, unlike applying a patch to a Windows or Mac machine, the process isn’t just installing a single program on an existing system, it is reflashing the entire firmware of the device. The smallest of mistakes in this very delicate process could have significant consequences, disrupting the device’s availability and leading to even more downtime.
In addition, most OT devices are designed to be self-contained and run autonomously, without much (or any) human intervention or disruption. This means other controls and mitigating measures available to protect general information technology (IT) systems are often off the table for OT devices. For instance, the limited compute resources of OT devices often prevent security agents from being able to run on them. And typical controls, like those implemented by firewalls and intrusion prevention systems, can’t be used because of their potential impact on normal, ongoing operations. (Imagine an energy grid going down because a firewall blocked a connection.)
It’s Time for a Paradigm Shift
The current IoT threat landscape is forcing us to reconsider the security compromises we’ve been making over the last few years. We’ve really only had three options (or a combination):
- Constantly chase new firmware versions and patches and try to manage any disruptions that applying them can have on ongoing operations (via patch management planning and orchestration).
- Use passive approaches, like security by design, static and firmware analysis, or segmentation, and hope for the best (although we know these methods have proven only modestly successful at averting threats)
- Close our eyes, pretend the problem doesn’t exist, and hope that our organization’s devices aren’t targeted by threat actors (a.k.a. putting our proverbial heads in the ground).
Obviously, these options are insufficient. The good news is, now, with Sternum, there is finally an option that is both effective and sustainable:
- Give devices the ability to protect themselves, ahead of time, as part of the firmware, to make patch-chasing irrelevant and exploitation of vulnerabilities moot.
The Sternum Device Security and Insights Platform takes a direct-to-binary approach that ensures code can’t be manipulated or used to perpetrate attacks. It is universal, working for any device (any OS or version of RTOS or Linux) at any deployment stage (in development or in the field) immediately – adding visibility and security, without changing any functionality.
Sternum’s runtime protection can identify exploits and mitigate them on-the-fly without causing any downtime. It is a lightweight embedded endpoint protection solution that can be seamlessly integrated into the firmware to protect all running processes and services on a system. It tracks and protects every piece of code that’s being called or executed on the device to ensure it can’t be exploited or used for something it shouldn’t. If an anomaly is detected (be it memory corruption, a logic bug, etc.), Sternum will eliminate the malicious exploitation and alert on exactly what piece of the code on the firmware was exploited.
Further, Sternum provides an autonomous, non-intrusive, cloud-based analytics system that offers real-time visibility into the device. It will alert on blocked threats, as well as monitor for and alert on behavior anomalies, such as brute force login attempts, data leakage/theft, authentication and password violations, and more.
As a result, Sternum provides complete visibility, insights, and control for IoT/OT devices, giving device manufacturers a way to easily include persistent protection against whatever vulnerabilities may arise. Finally, there is a deterministic way to pre-emptively protect OT devices from the most frequent attack patterns, be notified in real time when these occur, and prevent vulnerabilities, such as IceFall, from sending organizations into a freefall.
