Recent reports from the US Cybersecurity and Infrastructure Security Agency (CISA) have highlighted critical security vulnerabilities in factory automation software from industry giants Mitsubishi Electric and Rockwell Automation. These vulnerabilities pose serious risks, including remote code execution, authentication bypass, product tampering, and denial-of-service attacks.
One of the identified vulnerabilities affecting Mitsubishi Electric’s software (CVE-2023-6943, CVSS score of 9.8) allows an attacker to exploit a function with a path to a malicious library while connected to the device, potentially leading to authentication bypass, remote code execution, denial-of-service, or data manipulation. On the other hand, Rockwell Automation’s security flaw (CVE-2024-10386, CVSS 9.8) stems from a missing authentication check, enabling a cyber attacker with network access to send crafted messages to a device, resulting in potential database manipulation.
These critical vulnerabilities are part of a larger set of issues impacting Mitsubishi’s and Rockwell Automation’s smart-factory offerings, as outlined in CISA’s recent disclosure. Both companies have taken steps to address these vulnerabilities, offering mitigation strategies for manufacturers to implement and safeguard their systems from potential compromise.
In addition to these critical vulnerabilities, there are also noncritical bugs that have been identified. For example, an out-of-bounds read vulnerability (CVE-2024-10387, CVSS 7.5) affecting Rockwell Automation’s FactoryTalk ThinManager could result in denial-of-service. Similarly, a vulnerability in Mitsubishi Electric FA Engineering Software Products (CVE-2023-6942, CVSS 7.5) could allow a remote unauthenticated attacker to bypass authentication by sending specially crafted packets. Furthermore, an authentication bypass vulnerability in the Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series (CVE-2023-2060, CVSS 8.7) could enable remote, unauthenticated attackers to access the module via FTP due to weak password requirements.
Manufacturers are strongly advised to apply patches and mitigation measures promptly to protect their systems, especially since smart factories are among the most targeted sectors in terms of industrial control systems. This warning comes amidst escalating nation-state attacks on US critical infrastructure, with CISA raising concerns about Russian and Chinese advanced persistent threats (APTs) continuing their assaults on utilities, telecoms, and other high-value targets. Recently, Canada also highlighted sustained cyber assaults from China on its critical infrastructure footprint.
The increasing sophistication and frequency of these cyber threats underscore the importance of robust cybersecurity measures in the manufacturing sector. As the industry continues to digitize and automate operations, ensuring the security and integrity of these systems is paramount to avoid potentially devastating consequences. It is imperative for organizations to remain vigilant, prioritize security updates, and collaborate with cybersecurity experts to stay ahead of evolving threats in the ever-changing digital landscape.