Forescout Research Labs and JFrog Security Research have disclosed a set of 14 new vulnerabilities affecting operational technology (OT) devices.
The vulnerabilities, named INFRA:HALT, were disclosed as part of Forescout Research Lab's latest research supporting the cybersecurity industry.
The vulnerabilities affect the NicheStack TCP/IP stack, present in millions of operational technology devices used by organisations across many critical infrastructure sectors, including manufacturing, oil and gas, electricity and water.
NicheStack was first introduced two decades ago and continues to be central to the operations of many critical enterprise computer systems, making it highly susceptible to multiple forms of cybersecurity attacks. Despite the recent increase in threats, these vulnerabilities are still current, as many manufacturers haven't yet patched their systems.
When exploited, the vulnerabilities allow bad actors to take over building automation devices used to control lighting, power, security and fire systems, and programmable logic controllers used to run assembly lines, machines and robotic devices. This can significantly disrupt industrial operations and provide access to IoT devices. Once accessed, the stack becomes a vulnerable entry point to spread infectious malware across IT networks.
"INFRA:HALT has the potential to cause even more widespread disruption at a time when we already see an increased number of attacks against multiple global utility, oil and gas, healthcare and supply chain organisations," says Forescout Research Labs research manager, Daniel dos Santos.
"We urge organisations to take protective measures against INFRA:HALT, which requires limiting network exposure of critical vulnerable devices via network segmentation and patching devices as soon as vendors release patches."
Santos says that unless action is taken to adequately protect networks and the operational technology devices connected to them, it could only be a matter of time until these vulnerabilities are exploited, resulting in further hacks to critical infrastructure worldwide.
Hypothetical but plausible scenarios of what bad actors can do include:
- Impact manufacturing by obtaining access to factory/plant networks to tamper with production lines. A recent example includes the attack on the world's largest meat supplier JBS.
- Shut down fuel pipelines by infiltrating vulnerable IT networks and leveraging ransomware. A recent example includes the US Colonial Pipeline breach.
- Disable safety systems in oil and gas facilities by accessing exposed OT devices to spread infectious malware. An example includes the TRITON malware attacks on industrial safety systems in the Middle East.
- Compromise water facilities by accessing computers that control a city or country water treatment system. A recent example includes the Oldsmar water facility attack.