New vulnerabilities found in industrial control systems of major vendors

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued advisories on 49 vulnerabilities in eight industrial control systems (ICS) this week, which are used across multiple critical infrastructure sectors.

The vulnerabilities identified by CISA were tracked in products from ICS providers including Siemens, Hitachi, Rockwell, Delta Electronics, VISAM, and Keysight.

Many of the vulnerabilities in CISA’s advisory are remotely exploitable, involve low attack complexity, and allow attackers to take control of affected systems, manipulate and modify settings, escalate privileges, bypass security controls, steal data, and crash systems.

Siemens systems have the most vulnerabilities

Twenty-three out of the 49 vulnerabilities in the advisory are from the Siemens systems, seven of which are yet-to-be-patched exploits in Siemens’ Ruggedcom APE1808, an industry-grade application processing engine (APE) module. The vulnerabilities in the APE module, used to host commercial applications, allow attackers to elevate privileges and compromise system functionalities.

The remaining 17 flaws were present in various third-party dependencies of Siemens’ Scalance W-700 devices, an industry-grade suite of networking and bus systems. These cover products in several critical infrastructure sectors ranging from chemical, energy, and food, to agriculture and manufacturing.

For the Scalance-based exploits, Siemens has urged organizations to update their software to v2.0 or later, and to implement controls for protecting network access to the devices.

Delta Electronics’ InfraSuite Device Master, a critical systems management technology used in the energy sector has received advisories against 13 new vulnerabilities that can be exploited to trigger denial-of-service conditions or to steal sensitive data.

New vulnerabilities were also found in VISAM’s Vbase Automation technology (7), Rockwell Automation’s ThinManager (3), Keysight N6845A Geolocation Server (1), Hitachi’s Energy GMS600, PWC600, and Relion products (1).

The CISA advisory coincided with a report from the European Union on threats to the transportation sector that also warned about the potential for ransomware attacks on OT systems used by aviation, maritime, railway, and road transport agencies. At least some of the vulnerable systems in CISA’s advisory pertain to organizations in the transportation sector as well.

Previously isolated, ICS and operational technology (OT) environments are no longer segregated and are now more accessible via the internet. This has made both ICS and OT networks more attractive targets for both financially motivated threat groups and nation-state actors.

Earlier this year, CISA issued a warning regarding multiple vulnerabilities affecting remote access and management systems used by critical infrastructure companies, especially in the energy and transportation sectors, including Sewio, InHand Networks, Sauter Controls, and Siemens.

The latest CISA advisory coincides with a European Union Agency for Cybersecurity (ENISA) report published this week, warning of potential ransomware attacks against OT systems in the EU transport sector. A few of the vulnerabilities reported by CISA can also be exploited in the transport sector.