September 18, 2023
101
09 Vulnerabilities Have Been Found in Honeywell’s Experion® Platforms for DCS
In this article, we will talk about 9 vulnerabilities discovered by researchers on Honeywell Experion® DCS platforms. All vulnerabilities are dangerous and can lead to unauthorized remote code execution, both on outdated versions of the Honeywell server and on controllers.
Such actions can change the operation of the DCS controller, as well as hide the changes from the engineering workstation that controls the DCS controller.
In addition, to perform criminal actions against the controller, authentication is not required, only network access to the target devices is needed. Potentially, any compromised IT resources, IoT, and OT services on the same network as DCS devices can be used for an attack.
How to protect your business from online threats? Learn more here.
Which devices are at risk?
Basically, vulnerabilities were found on three Honeywell Experion DCS platforms. On the Experion Process Knowledge System (EPKS) platform (Experion server and Experion station). On the LX and PlantCruise platforms (engineering station and direct station). In addition, the vulnerabilities affect the C300 DCS controller used on all three platforms.
Device protection
It’s no secret that over the past few years, many attacks on vulnerabilities of various devices related to operating technologies have been recorded. Thus, we can talk about the risks faced by critical infrastructure systems.
For example, the recent attack on an Iranian steel mill, which was reportedly carried out by the hacktivist group “Predatory Sparrow” back in June 2022. The group said it caused a serious fire at the company and even posted a video that appeared to have been recorded from surveillance cameras.
The video showed how the employees of the plant evacuated the plant before the fire started. This attack is of great importance because of its rarity in causing physical damage, since most cyberattacks usually occur in the digital sphere.
Another example of an attack involves the Colonial Pipeline, one of the largest fuel pipelines in the United States. In May 2021, the pipeline was attacked by ransomware, which disrupted fuel supplies along the East Coast. The attack exploited vulnerabilities in the pipeline’s IT network, causing disruptions and causing fuel shortages in various states.
These are not the only examples of such attacks. However, based on them, we can say about the growing risks of threats and the need to work out methods of protection.
Such chip vulnerabilities pose a significant risk to critical infrastructure, including power plants, manufacturing facilities, and refineries.
Search for solutions and international cooperation
Despite the growing threat and the emergence of more and more advanced methods of attacks, Honeywell has released security fixes and strongly recommends that all affected organizations apply them immediately.
Honeywell’s customers can access the fixes and apply them by logging in https://process.honeywell.com/, and searching in the technical publications section. For more information about Honeywell’s coordinated vulnerability disclosure process, visit https://www.honeywell.com/us/en/product-security.
Before studying and implementing, it is necessary to determine the priority of each item of correction, for more effective work on their elimination. In addition, do not forget about the usual security methods, systematic testing, and training of employees to obtain a higher result of protection.
How can Armis help?
For all those who care about their business and the IT infrastructure around it, it is necessary to use the Armis platform, designed to analyze the assets and security of their network in the following ways:
Create comprehensive visibility of assets to protect them. By preparing a comprehensive list of assets and their work, you can effectively identify vulnerable servers and controllers in your environment.
Use a vulnerability management program. In this case, you can effectively minimize your weaknesses and reduce the risk of exploits targeting devices without available fixes. And the operative application of fixes will reduce the vulnerability window for these devices.
Network segmentation. By dividing the network into separate segments depending on security levels or device types, organizations can limit the horizontal movement of intruders, effectively containing potential threats and mitigating the impact on vulnerable devices.
Implementation of a reliable threat detection system. The use of a combination of detection methods, including signature-based analysis, anomaly detection, and compromise indicators (IOCS), provides an additional layer of security, strengthening the overall defensive position in the event of an attack.
Coordinated disclosure of information
Detection and disclosure of vulnerabilities in the Honeywell Experion C300 controller are essential for the continuous improvement of industrial cybersecurity. By responsibly reporting vulnerabilities to vendors such as Honeywell, security researchers play a vital role in protecting critical infrastructure and creating a safer environment for industrial control systems. It is through joint efforts and coordinated disclosure practices that we can improve the security of industrial control systems and reduce potential risks.
