The US Cybersecurity and Infrastructure Security has revealed new vulnerabilities in the industrial systems from leading vendors including Siemens, Delta Electronics, Hitachi and Rockwell. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued advisories on 49 vulnerabilities in eight industrial control systems (ICS) this week, which are used across multiple critical infrastructure sectors.The vulnerabilities identified by CISA were tracked in products from ICS providers including Siemens, Hitachi, Rockwell, Delta Electronics, VISAM, and Keysight.Many of the vulnerabilities in CISA’s advisory are remotely exploitable, involve low attack complexity, and allow attackers to take control of affected systems, manipulate and modify settings, escalate privileges, bypass security controls, steal data, and crash systems. Siemens systems have the most vulnerabilitiesTwenty-three out of the 49 vulnerabilities in the advisory are from the Siemens systems, seven of which are yet-to-be-patched exploits in Siemens’ Ruggedcom APE1808, an industry-grade application processing engine (APE) module. The vulnerabilities in the APE module, used to host commercial applications, allow attackers to elevate privileges and compromise system functionalities. The remaining 17 flaws were present in various third-party dependencies of Siemens’ Scalance W-700 devices, an industry-grade suite of networking and bus systems. These cover products in several critical infrastructure sectors ranging from chemical, energy, and food, to agriculture and manufacturing.For the Scalance-based exploits, Siemens has urged organizations to update their software to v2.0 or later, and to implement controls for protecting network access to the devices. Delta Electronics’ InfraSuite Device Master, a critical systems management technology used in the energy sector has received advisories against 13 new vulnerabilities that can be exploited to trigger denial-of-service conditions or to steal sensitive data.New vulnerabilities were also found in VISAM’s Vbase Automation technology (7), Rockwell Automation’s ThinManager (3), Keysight N6845A Geolocation Server (1), Hitachi’s Energy GMS600, PWC600, and Relion products (1).The CISA advisory coincided with a report from the European Union on threats to the transportation sector that also warned about the potential for ransomware attacks on OT systems used by aviation, maritime, railway, and road transport agencies. At least some of the vulnerable systems in CISA’s advisory pertain to organizations in the transportation sector as well. Previously isolated, ICS and operational technology (OT) environments are no longer segregated and are now more accessible via the internet. This has made both ICS and OT networks more attractive targets for both financially motivated threat groups and nation-state actors.Earlier this year, CISA issued a warning regarding multiple vulnerabilities affecting remote access and management systems used by critical infrastructure companies, especially in the energy and transportation sectors, including Sewio, InHand Networks, Sauter Controls, and Siemens.The latest CISA advisory coincides with a European Union Agency for Cybersecurity (ENISA) report published this week, warning of potential ransomware attacks against OT systems in the EU transport sector. A few of the vulnerabilities reported by CISA can also be exploited in the transport sector. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe