Security researchers have found quite a few vulnerabilities in Honeywell devices used in critical industries that could, if exploited, enable hackers to trigger bodily disruption and probably impression the protection of human lives.
Researchers at Armis, a cybersecurity firm specializing in asset safety, uncovered 9 vulnerabilities in Honeywell’s Experion distributed management system (DCS) merchandise. These are digital automated industrial management techniques which can be used to management giant industrial processes throughout critical industries — like power and pharmaceutical — the place excessive availability and steady operations are critical.
The vulnerabilities, seven of which have been given a critical-severity score, could enable for an attacker to remotely run unauthorized code on each the Honeywell server and controllers, in accordance to Armis. An attacker would wish community entry to exploit the flaws, which may be gained by compromising a tool inside a community, from a laptop computer to a merchandising machine. However, the bugs enable for unauthenticated entry, which implies an attacker wouldn’t want to log into the controller in order to exploit it.
While there was no proof of energetic exploitation, Armis tells TechCrunch that hackers could use these flaws to take over the devices and to alter the operation of the DCS controller.
“Worse case scenarios you can think of from a business perspective are complete outages and a lack of availability. But there’s worse scenarios than that, including safety issues that can impact human lives,” Curtis Simpson, CISO at Armis, instructed TechCrunch.
Simpson stated that the character of the bugs imply that an attacker can conceal these modifications from the engineering workstation that manages the DCS controller. “Imagine you have an operator with all the displays controlling the information from the plant, in this environment, everything is fine,” he added. “When it comes to down below in the plant, everything is essentially on fire.”
This is especially problematic for the oil and gasoline mining trade, Armis says, the place Honeywell DCS techniques function. Honeywell clients embrace power big Shell, U.S. authorities companies together with the Department of Defense and NASA, and research-based biopharmaceutical firm AstraZeneca, in accordance to Honeywell’s web site.
“If you’re able to disrupt critical infrastructure, you’re able to disrupt a country’s ability to operate in many different ways,” Simpson stated. “Recovering from this would also be a nightmare. If you look at the pervasiveness of this type of attack, coupled with the lack of cyber awareness about this ecosystem, it could cost organizations millions of dollar per hour to rebuild.”
Armis tells TechCrunch that alerted Honeywell to the vulnerabilities, which have an effect on a lot of its DCS platforms, together with the Honeywell Experion Process Knowledge System, LX and PlantCruise platforms, and the C300 DCS Controller, in May. Honeywell made patches out there the next month and is urging all affected organizations to promptly apply them.
When reached for remark, Honeywell spokesperson Caitlin E. Leopold stated: “We have been working with ARMIS on this issue as part of a responsible disclosure process. We have released patches to resolve the vulnerability and notified impacted customers. There are no known exploits of this vulnerability at this time. Experion C300 owners should continue to isolate and monitor their process control network and apply available patches as soon as possible.”
