The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
N/A
Threat Mapped score: 0.0
Industry: Finiancial
Threat priority: Unclassified
CVE: CVE-2022-30260
Distributed Control System (DCS) does not sign firmware images and only relies on insecure checksums for integrity checks
CVE: CVE-2022-30267
Distributed Control System (DCS) does not sign firmware images and only relies on insecure checksums for integrity checks
CVE: CVE-2022-30272
Remote Terminal Unit (RTU) does not use signatures for firmware images and relies on insecure checksums
| Phase | Note |
|---|---|
| Architecture and Design | N/A |
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
Intro: In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.
Body: Multiple vendors did not sign firmware images.