An APT (Advanced Persistent Threat) known only as an unnamed APT has recently acquired a remote code execution exploit that affects Rockwell Automation ControlLogix communications modules. This news has been reported by BleepingComputer. Rockwell has already released patches for all affected products and is urging organizations to apply them immediately. The vulnerability was analyzed by Rockwell and the US Cybersecurity and Infrastructure Security Agency (CISA). Both organizations believe that this exploit was developed with the intent to target critical infrastructure, including international customers.
The vulnerability, known as CVE-2023-3595, provides unauthorized access to manipulate firmware memory within the communication module responsible for handling network commands. This type of access is similar to the zero-day exploit used in the TRISIS attack by the XENOTIME threat group. By exploiting this vulnerability, an attacker could potentially corrupt information used for incident response and recovery.
Industrial control systems are an essential component of critical infrastructure, and vulnerabilities in these systems can pose significant risks. Honeywell’s Experion distributed control system (DCS) products have recently been discovered to have nine vulnerabilities by researchers at Armis, according to TechCrunch. These vulnerabilities could allow an attacker to remotely execute unauthorized code on both the Honeywell server and controllers. Curtis Simpson, the CISO at Armis, warns that the worst-case scenario would be complete outages and safety issues that could impact human lives. Honeywell has released patches for these vulnerabilities and advises all affected customers to isolate and monitor their process control network until the patches are applied.
In other cybersecurity news, the US Court of Appeals for the 8th Circuit has temporarily blocked an EPA memorandum that would require states to evaluate the cybersecurity of their water systems, as reported by the Washington Post. The court granted a temporary stay without providing any reasons for their decision. Three state attorneys general petitioned for the stay, with the support of several water utility associations. Petitioners expressed skepticism about the EPA’s proposed rules, which they viewed as a simplistic approach that would impose a heavy financial burden on smaller utilities. The EPA has highlighted the increasing frequency of cyberattacks against water systems and the potential risks they pose.
The Transportation Security Administration (TSA) has updated its security rules for oil and natural gas pipeline operators, according to a memorandum released by the agency. The revised security directive now requires operators to not only develop processes and cybersecurity implementation plans but also to test and evaluate those plans. TSA Administrator David Pekoske stated that the agency is committed to keeping the nation’s transportation systems secure, especially in the face of growing cyber threats. Operators will need to submit an updated Cybersecurity Assessment Plan annually, and 100% of security measures will need to be assessed every three years.
The White House has recently published an Implementation Plan for the National Cybersecurity Strategy. The plan focuses on five pillars, with the first pillar, “Defending Critical Infrastructure,” of particular interest to industrial control system operators. The objective is to establish cybersecurity requirements to support national security and public safety by addressing perceived gaps in current regulatory regimes. The plan also emphasizes the need for public-private collaboration and the integration of federal cybersecurity centers. It calls for the modernization of federal defenses, including the development of comprehensive incident response plans and processes. The plan encourages operators of critical infrastructure to engage with their Sector Risk Management Agencies for guidance and support.
The federal government has issued voluntary IoT security guidelines and announced a cybersecurity labeling program for smart devices. The program, overseen by the Federal Communications Commission (FCC), will introduce a “U.S. Cyber Trust Mark” that manufacturers and retailers can use to identify products with established cybersecurity criteria. Companies such as Amazon, Best Buy, Google, LG Electronics U.S.A., Logitech, and Samsung Electronics have already committed to the program. The goal is to provide consumers with the information they need to make informed decisions about the security of the devices they bring into their homes.
Overall, recent cybersecurity developments highlight the ongoing threats and vulnerabilities faced by critical infrastructure. It is crucial for organizations and governments to remain vigilant and proactive in addressing these risks to ensure the security and safety of essential systems.