ICEFALL - Revisiting A Decade Of OT Insecure-By-Design Practices

Explore the persistent challenges of insecure-by-design practices in Operational Technology (OT) devices and protocols in this comprehensive conference talk from the Hack In The Box Security Conference. Delve into dozens of previously undisclosed issues affecting products from nearly 20 vendors across various industrial sectors. Gain insights into the quantitative overview of these vulnerabilities, ranging from security-certified products with inherent design flaws to unsuccessful attempts at improvement. Examine how the opacity and proprietary nature of OT systems, coupled with suboptimal vulnerability management and potentially misleading security certifications, complicate risk management efforts. Through technical deep-dives, understand how attackers can achieve remote code execution on critical Level 1 devices using only intended functionality, and consider the defensive implications. Analyze quantitative data on the research process, providing valuable information on the resources required to develop basic offensive capabilities and their potential impact on the threat landscape.

Intro
Insecure-by-design is a well-known issue, why revisit it?
Example: Segmentation & Hardening
Siemens WinCC OA SCADA (CVE-2022-33139)
Saia Burgess PG5 PCD PLC
Nuance: Supply Chains & Collisions
Example: ProConOS runtime
Nuance: Firmware Updates
Example: Emerson DeltaV DCS
Example: Honeywell Safety Manager (SC) SIS
Example: Emerson ControlWave PLC/RTU
Example: Honeywell Safety Manager SIS
Reverse Engineering
Mitigations
Conclusions