DHS warns of vulnerabilities in popular, outdated ICS software
Popular web-based Honeywell software programs that are used to control IT systems in wastewater, energy and manufacturing facilities could be remotely hacked, an advisory from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, warned Thursday.
A total of five different vulnerabilities were discovered in the code for older versions of Honeywell’s XL1000C500 XLWebExe-2-01-00 and XLWeb 500 XLWebExe-1-02-08 controllers. The company has already released a security update, but users will need to contact their local Honeywell branch to receive the actual patch.
One of the most concerning vulnerabilities shows that the controllers’ passwords are being stored in clear text, which offers no cryptographic protection. This is fairly common in older industrial control systems, according to Justin Fier, director of cyber intelligence and analysis for Darktrace.
The fact that an older Honeywell controller carries these computer code flaws is neither surprising nor particularly alarming, explained Fier.
The two affected controller versions are predominately employed in factories across Europe and the Middle East.
“Because of the state of global cybersecurity, you will probably start to see more of this though … there will be more due diligence especially in ICS, where there are so many legacy IT systems still in use,” Fier said, “I think we’re going to see big change over the next 18 months in terms of investment, security audits and maybe even government policy when it comes to securing these industrial systems.”
The aforementioned vulnerabilities also allow an attacker to obtain sensitive internal information on the server-side while appearing be an authenticated network administrator.
“Honeywell should have used effective encryption from the start but, this is not a serious vulnerability and Honeywell’s installation guidance is to not make this equipment internet-accessible. Any installations following Honeywell’s guidance should be fine until they can patch,” said Sergio Caltagirone, director of threat intelligence and analytics for Dragos.
“Unencrypted ICS communications are normal and usually have an unchanged default password. This is to make regular maintenance and quick access in an emergency easy. While better security controls should be in place this equipment shouldn’t be internet-accessible,” Caltagirone explained.
Independent german cybersecurity researcher Maxim Rupp has been credited with finding the software bugs. He described them in an in-depth blog post earlier this week, before DHS announced the advisory publicly.