Sierra Wireless AirLink OT/IoT routers are used to connect local networks to the web in different sectors like healthcare, energy, government, transportation, water, retail, manufacturing, and emergency services. Forescount, a network security and risk management company, identified 21 vulnerabilities in these routers that could potentially expose organisations with critical infrastructure within these industries. They named it Sierra:21.
Out of these vulnerabilities, Forescout identified one critical severity and nine high-severity issues, including remote code execution, unauthorised access, authentication bypass, denial-of-service (DoS), and cross-site scripting (XSS) flaws.
These vulnerabilities can be exploited to not only steal credentials but also to take control of routers, providing attackers with unauthorised access to targeted devices and serving as entry points into critical networks. Potential attack scenarios include compromising patient and staff devices in healthcare facilities and affecting industrial control systems (ICS) in manufacturing plants.
Forescout discovered 86,000 vulnerable routers exposed directly to the internet, with fewer than 10% patched against known vulnerabilities disclosed since 2019. Many exposed devices have reached end-of-life status, no longer receiving patches and eight vulnerabilities are specific to the ALEOS operating system in certain AirLink routers. Sierra Wireless released patches in October 2023 but Forescout highlighted that it took Sierra Wireless 128-133 days to release the patches. This emphasises the importance of timely responses to vulnerabilities in OT environments. The remaining flaws affect the OpenNDS open source captive portal engine, impacting multiple vendors.
The Sierra Wireless router vulnerabilities pose significant cybersecurity risks to critical infrastructure, highlighting the need for prompt patching, monitoring, and adherence to security best practices, especially in OT environments.
Cyberattacks targeting energy, water, and transportation infrastructure could lead to physical damage. For example, attacks on the control systems of a power grid may result in widespread power outages.
Manufacturing, retail, and other sectors heavily rely on interconnected supply chains. Cyberattacks can disrupt these supply chains, affecting production, distribution, and availability of goods and services. In sectors like transportation, energy, and emergency services, cyberattacks can compromise safety systems, leading to accidents, injuries, or even loss of life.
Attacks on government infrastructure can pose national security risks. Critical government functions, defence systems, and intelligence operations may be compromised, impacting the overall security of a nation.
Cybersecurity incidents can erode public trust in institutions, particularly in sectors like healthcare and government. Confidence in the ability to protect sensitive information, ensure smooth functioning of critical systems, and provide essential services may be undermined.
Organisations in critical infrastructure sectors must prioritise cybersecurity measures, including regular risk assessments, threat monitoring, employee training, and the implementation of robust security protocols and technologies.
Sierra:21 is just one example of how vulnerable devices in OT environments can face zero-day attacks. Multiple cyber incidents have occurred over the years that remind us why it’s crucial to secure devices and networks, not just in IT but also in OT environments.