CISA Warns on Unpatched ICS Vulnerabilities Lurking in Critical Infrastructure

The advisory comes the same week as a warning from the EU's ENISA about potential for ransomware attacks on OT systems in the transportation sector.

4 Min Read
Electricity distribution controller and testing unit
Source: elbud via Shutterstock

The US Cybersecurity and Infrastructure Security Agency (CISA) this week issued advisories for a total of 49 vulnerabilities in eight industrial control systems (ICS) used by organizations in multiple critical infrastructure sectors — some unpatched.

The need for organizations in critical infrastructure sectors to consider cybersecurity is growing. ICS and operational technology (OT) environments are no longer air-gapped, segmented as they once used to be, and are increasingly accessible over the Internet. The result is that both ICS and OT networks have become increasingly popular targets for both nation-state actors and financially motivated threat groups.

That's unfortunate given that many of the vulnerabilities in CISA's advisory are remotely exploitable, involve low attack complexity, and allow attackers to take control of affected systems, manipulate and modify settings, escalate privileges, bypass security controls, steal data, and crash systems. The high-severity vulnerabilities are present in products from Siemens, Rockwell Automation, Hitachi, Delta Electronics, Keysight, and VISAM.

The CISA advisory coincided with a report from the European Union on threats to the transportation sector that also warned about the potential for ransomware attacks on OT systems used by aviation, maritime, railway, and road transport agencies. At least some of the vulnerable systems in CISA's advisory pertain to organizations in the transportation sector as well.

Low-Complexity, High-Impact Vulnerabilities

Seven of the 49 vulnerabilities in CISA's advisory are in Siemens' RUGGEDCOM APE1808 technology and currently have no fix. The vulnerabilities allow an attacker to elevate privileges on a compromised system, or to crash it. Organizations in multiple critical infrastructure sectors around the globe currently use the product to host commercial applications.

Seventeen other flaws are present in various third-party components that are integrated into Siemens' Scalance W-700 devices. Organizations in multiple critical infrastructure sectors use the product including those in chemical, energy, food, and agriculture and manufacturing. Siemens has urged organizations using the product to update its software to v2.0 or later and to implement controls for protecting network access to the devices.

Thirteen of the newly disclosed vulnerabilities affect Delta Electronic' InfraSuite Device Master, a technology that organizations in the energy sector use to monitor the health of critical systems. Attackers can exploit the vulnerabilities to trigger denial-of-service conditions or to steal sensitive data that could be of use in a future attack.

Other vendors in CISA's advisory, with multiple vulnerabilities in their products are Visam, whose Vbase Automation technology accounted for seven flaws and Rockwell Automaton with three flaws in its ThinManager product used in the critical manufacturing sector. Keysight had one vulnerability in its Keysight N6845A Geolocation Server for communications and government organizations and Hitachi updated information on a previously known vulnerability in its Energy GMS600, PWC600, and Relion products.

This is the second time in recent weeks where CISA has warned organizations in critical infrastructure sectors about serious vulnerabilities in systems they use in industrial and operational technology environments. In January, the agency issued a similar alert on vulnerabilities in products from 12 ICS vendors, including Siemens, Hitachi, Johnson Controls, Panasonic, and Sewio. As with the current set of flaws, many of the vulnerabilities in the previous advisory also allowed threat actors to take over systems, escalate privileges and create other havoc in ICS and OT settings.

OT Systems in the Crosshairs

Meanwhile, a report this week from the European Union Agency for Cybersecurity (ENISA) on cyberthreats to the transportation sector warned of potential ransomware attacks against OT systems, based on an analysis of 98 publicly reported incidents in the EU transportation sector between January 2021 and October 2022. 

The analysis showed that financially motivated cybercriminals were responsible for some 47% of the attacks. A plurality of these attacks (38%) was ransomware related. Other common motivations included operational disruptions, espionage, and ideological attacks by hacktivist groups.

Though OT systems were sometimes collaterally damaged in these attacks, ENISA's researchers found no evidence of directed attacks on them in the 98 incidents it analyzed. "The only cases were OT systems and networks were affected were either when entire networks were affected or when safety-critical IT systems were unavailable," the ENISA report said. However, the agency expects that to change. "Ransomware groups will likely target and disrupt OT operations in the foreseeable future."

The European cybersecurity agency's report pointed to an earlier ENISA analysis that warned of ransomware actors and other new threat groups tracked as Kostovite, Petrovite, and Erythrite targeting ICS and OT systems and networks. The report also highlighted the continued evolution of ICS specific malware such as Industroyer, BlackEnergy, CrashOverride, and InController as signs of growing attacker interest in ICS environments.

"In general, adversaries are willing to dedicate time and resources in compromising their targets to harvest information on the OT networks for future purposes," the ENISA report said. "Currently, most adversaries in this space prioritize pre-positioning and information gathering over disruption as strategic objectives."

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights