#HITB2022SIN #COMMSEC ICEFALL – Revisiting A Decade Of OT Insecure-By-Design Practices - Jos Wetzels

More than a decade ago, Project Basecamp highlighted how many OT devices and protocols deployed in a wide variety of industries and critical infrastructure applications were insecure-by-design. Ever since, it’s been common knowledge that one of the biggest issues facing OT security is not so much the presence of unintentional vulnerabilities but the persistent absence of basic security controls. While the past decade has seen the advent of standards-driven hardening efforts at the component and system level it has also seen impactful real-world OT incidents like Industroyer and TRITON abusing insecure-by-design functionality, which has left many defenders wondering just how much has changed.

In this talk, we will present dozens of previously undisclosed issues in products from almost 20 vendors deployed in industry verticals ranging from oil & gas, chemical and power generation to water management, mining and manufacturing. We will provide a quantitative overview of these issues, which range from persistent insecure-by-design practices in security-certified products to failed attempts to move away from them, in order to illustrate how the opaque and proprietary nature of these systems, the suboptimal vulnerability management surrounding them and the often false sense of security offered by certifications significantly complicate OT risk management efforts.

In addition, we will take a technical deep-dive into several of the issues to demonstrate the ability of attackers to achieve remote code execution on critical Level 1 devices using nothing but intended functionality and discuss its defensive implications. Finally, we will present quantitative insights into our research process in order to provide the audience with some hard numbers on the resources required to develop basic offensive capabilities for the issues discussed and its potential implications for the relevant threat landscape.

===

Jos Wetzels is a security researcher at Forescout specializing in embedded systems security. His research has involved reverse-engineering, vulnerability research and exploit development across various domains ranging from industrial and automotive systems to IoT, networking equipment and deeply embedded SoCs. He previously worked as a researcher at the Distributed and Embedded Security group (DIES) at the University of Twente (UT) in the Netherlands where he developed exploit mitigation solutions for constrained Industrial Control Systems (ICS) devices used in critical infrastructure, performed security analyses of state-of-the-art network and host-based intrusion detection systems and has been involved in research projects regarding on-the-fly detection and containment of unknown malware and Advanced Persistent Threats.