Kaspersky discovers (and has corrected) a series of vulnerabilities in industrial devices
Kaspersky ICS CERT researchers have discovered a number of vulnerabilities on a framework developed by CODESYS. The bugs, now resolved, could have opened the door to destructive cyber attacks.
One of the most widely used industrial frameworks contained a series of serious vulnerabilities that would allow a hacker to remotely take control of systems and launch cyber attacks with potentially very serious consequences.
The framework in question is that of CODESYS, adopted by around 350 suppliers and used in numerous sectors, such as energy production, manufacturing, industrial IoT systems.
The bug that plagued PLC and human-machine interfaces
Industrial systems rely on PLCs, Programmable Logic Controllers to function. These programmable apparatuses are at the base of numerous industrial equipment, often critical, such as power plants and smart city infrastructures. They are programmed through a framework, through which the engineers load the code necessary for the controller to work.
Analyzing the CODESYS framework, Kaspersky ICS Cert researchers found more than a dozen vulnerabilities, four of which were particularly serious: CVE-2018-10612, CVE-2018-20026, CVE-2019-9013 and CVE-2018-20025.
These bugs could have allowed an attacker to have access to the systems and from there steal passwords or other confidential data and inject harmful codes. What is more serious is that they could have done so without raising any alarms, practically invisible to security officers.
Before making the vulnerabilities public, Kaspersky worked with CODESYS to solve the problem, which has now been corrected.
” The security of the solutions is a theme of great importance for the CODESYS Group, ” declared Roland Wagner, Head of Product Marketing of CODESYS Group – ” We appreciated very much the complete results of the research provided by Kaspersky, they helped us to make CODESYS a tool even safer For many years we have been making great technical and administrative efforts to constantly improve the security features of CODESYS All detected vulnerabilities are immediately analyzed, evaluated, ranked in order of priority and reported in a notice. The corrections, in the form of software updates, are promptly developed and made available to all users of CODESYS in the Store “.
Kaspersky’s recommendations for securing PLC
Since CODESYS has published patches to solve problems, it is essential to update the firmware of all devices programmed using this framework as soon as possible. Regardless of this, the security company stresses the importance of isolating and regulating the network through which industrial devices communicate and of protecting development systems and SCADA environments with appropriate measures.
From the Kaspersky ICS CERT website, it is possible to consult the detailed report on these vulnerabilities.
ICS Vulnerabilities Database, Kaspersky’s new threat intelligence service
Starting in November, Kaspersky will launch a new intelligence service dedicated to industrial organizations: ICS Vulnerabilities Database. It is a constantly updated database which lists all the known vulnerabilities of industrial control systems (ICS) and industrial IoT made by different manufacturers.
Each database entry will contain detailed technical information that will allow industrial organizations to check if their resources are vulnerable and consequently, assign priorities and schedule updates in case of vulnerable systems.
” This new service aims to help customers improve vulnerability management and incident detection thanks to Kaspersky’s expertise ” – said Kaspersky Head of Kaspersky Industrial Cybersecurity Business Development – ” The penetration tests and periodic assessments vulnerabilities of an industrial company could provide a complete picture of the state of information security, thus motivating the teams involved in Operation Technology (OT) and cybersecurity to make any improvements.The constant assessment of vulnerabilities is one of the most important aspects important remediation planning to reduce the surface area of a possible attack, but nowadays, this type of assessment could only be implemented passively, due to the very nature of the environments. Unfortunately, the sources of information on vulnerabilities of the available ICS or IIoT ecosystems today, they do not contain much information and do not possess the coherence and clarity necessary for an ongoing and effective assessment of vulnerabilities. I believe that ” ready-to-use ” intelligence and the orientation that the ICS vulnerability database can provide will help solve this problem. “