General Overview
Today Armis and Honeywell have jointly disclosed “Crit.IX”, 9 new vulnerabilities that Armis researchers found in the Honeywell Experion® DCS platforms that could allow for unauthorized remote code execution on both legacy versions of the Honeywell server and controllers. If exploited this would allow an attacker to take over the devices and alter the operation of the DCS controller, whilst also hiding the alterations from the engineering workstation that manages the DCS controller. Exploitation of these vulnerabilities does not require authentication, only network access to the targeted devices. Potentially any compromised IT, IoT, and OT assets on the same network as the DCS devices could be leveraged for an attack.
In May 2022 Armis confirmed with Honeywell the discovery of 13 code issues found within the Experion C300 controller and server. These roll into 9 new vulnerabilities, 7 of them deemed critical. Due to the severity of these vulnerabilities and the impact, Honeywell and Armis have been working together to investigate these findings, understand the underlying issues, and work towards a patch. Honeywell has made available security patches and strongly advises all affected customers to patch immediately.
Key findings:
- Our research revealed weak points in the CDA protocol – a proprietary protocol designed by Honeywell that is used to communicate between Honeywell Experion Servers and C300 controllers. This protocol lacks encryption and proper authentication mechanisms in legacy. As a result, anyone with access to the network is able to impersonate both the controller and the server. In addition, there are design flaws in the CDA protocol which make it hard to control the boundaries of the data and can lead to buffer overflows.
- Honeywell also implements a CDA Data Client Named Access protocol on the Experion Server, which is used to communicate between Honeywell Experion® server and Experion® applications allowing for tag name access by these applications. Honeywell’s implementation of this protocol was found to contain 4 vulnerabilities that allow remote code execution (RCE) on the Experion Server.
- During the disclosure process we learned that due to reuse of the vulnerable code in other products, the vulnerabilities also affect Honeywell’s LX and PlantCruise platforms.
Affected devices
The newly discovered vulnerabilities affect a variety of products across a range of versions in three Honeywell Experion DCS platforms. In the Experion Process Knowledge System (EPKS) platform (Experion Server and Experion Station). In LX and PlantCruise platforms (Engineering Station and Direct Station). In addition, the vulnerabilities affect the C300 DCS Controller, used across all three platforms.
Safeguarding Critical Infrastructure
Over the past few years we have seen a steady increase in notable attacks and vulnerabilities on Operational Technology (OT) targets highlighting the increasing risks faced by critical infrastructure systems.
One significant example was the attack on an Iranian steel mill, which was reportedly carried out by the “Predatory Sparrow” hacktivist group back in June 2022. The group stated that it caused a serious fire within the facility and even released a video that appeared to be CCTV footage, showing workers evacuating an area of the plant before a machine began emitting molten steel and fire. The attack is significant due to its rarity in causing physical damage, as most cyber attacks typically occur in the digital realm.
Another high-profile incident involved the Colonial Pipeline, one of the largest fuel pipelines in the United States. In May 2021, the pipeline suffered a ransomware attack that disrupted fuel supplies along the East Coast. The attack exploited vulnerabilities in the pipeline’s IT network, causing operational disruptions and triggering fuel shortages in various states. This event highlighted the interconnectedness between IT and OT systems and emphasized the need for robust cybersecurity measures across all aspects of critical infrastructure.
These examples serve as stark reminders of the growing threat landscape and the urgent need to bolster defenses, implement robust security measures, and promote collaboration between stakeholders to safeguard critical OT systems from potential attacks and vulnerabilities.
ICS vulnerabilities pose a significant risk to critical infrastructure, including power plants, manufacturing facilities, and oil refineries. Responsible vulnerability disclosure plays a crucial role in ensuring the protection of these systems from potential attacks and minimizing the impact on public safety and operational continuity.
Armis takes responsible disclosure very seriously and is pleased to be able to work with Honeywell to find a route to support organizations who were potentially exposed to these critical vulnerabilities.
Responsible Disclosure and Collaboration
Armis Technical White paper outlines the details of the vulnerabilities and how the Armis team found them. You can review the paper here: https://media.armis.com/pdfs/wp-critix-honeywell-experion-vulnerabilities-en.pdf
Mitigation
Honeywell has made available security patches and strongly advises all affected organizations to promptly apply them.
Honeywell Customers can access and apply patches by logging into https://process.honeywell.com/ and searching through the Technical Publications section. For more information regarding Honeywell’s Coordinated Vulnerability Disclosure Process visit: https://www.honeywell.com/us/en/product-security.
It is essential to prioritize the implementation of these patches and firmware updates to address the reported vulnerabilities effectively. Furthermore, organizations should persist in their commitment to robust security measures, including routine security assessments, penetration testing, and comprehensive security training for their development teams.
How Armis can help
The development and deployment of patches to resolve vulnerabilities present in controllers and engineering workstations in OT environments is essential to reduce the attack surface. Due to the business criticality and their impact in operational processes, the release and installation of patches for these assets requires a very thorough QA process and most likely a maintenance and outage window, which can take a long period of time to coordinate and ultimately to complete. It is reasonable to assume that affected assets will remain vulnerable for a long period of time. During this time, mitigations can be implemented to detect and prevent attacks on these critical infrastructure assets.
Armis customers can leverage the Asset Intelligence and Security Platform to protect their network in the following ways:
- Achieve comprehensive Asset Visibility. By obtaining an accurate inventory that encompasses every aspect, from hardware to firmware and software version, organizations can effectively identify vulnerable servers and controllers in their environment.
- By implementing a Vulnerability Management program that prioritizes according to risk, organizations can effectively minimize their weak points and reduce the risk of exploits targeting devices without available patches. Moreover, promptly applying security patches upon their release will significantly decrease the window of vulnerability for these devices.
- Since the discovered vulnerabilities require only network access to a vulnerable device, Network Segmentation will go a long way in preventing exploitation of these vulnerabilities. By separating the network into distinct segments based on security levels or device types, organizations can limit the lateral movement of attackers, effectively containing potential threats and mitigating the impact on vulnerable devices. The segmentation effort in OT environments can be achieved using an industry reference model such as the Purdue Model, which represents a logical or functional view of OT environments and can be used to identify any deviations from OT assets expected behaviors, specially assets communicating to Level 0 and Level 1 from higher-level assets including assets in the IT networks. The segmentation can be achieved by understanding these asset behaviors in order to whitelist only the expected ones.
- Experience has shown that even well protected networks are susceptible to breaches. Thus, it becomes imperative to implement a robust Threat Detection system capable of identifying exploit attempts spanning the entire network and encompassing all devices, including IT, OT, and IoT. Employing a blend of detection techniques, including signature-based analysis, anomaly detection, and indicators of compromise (IOCs), adds an extra layer of security, augmenting the overall defensive posture in the event of an attack.
Coordinated Disclosure
The discovery and disclosure of vulnerabilities in Honeywell’s Experion C300 Controller are essential for the continuous improvement of industrial cybersecurity. By responsibly reporting vulnerabilities to vendors like Honeywell, security researchers play a vital role in safeguarding critical infrastructure and fostering a more secure environment for industrial control systems. It is through collaborative efforts and coordinated disclosure practices that we can enhance the security posture of industrial control systems and mitigate potential risks.
The Armis Research Process
At Armis Research Labs, our team specializes in conducting technical analysis of diverse devices to gain comprehensive insights into their protocols and evaluate their cyber security posture. Once we have a good understanding of a protocol, we can monitor the relevant device’s usage for abnormalities and detect attackers as well as misconfigurations and malfunctions.
For further information please visit our landing page for more details including mitigation strategies.
Further Discussion Forthcoming
Armis will be diving deeper, driving further discussions around these vulnerabilities over the next few weeks and months.
At Black Hat U.S., Carlos Buenano, Principal Solutions Architect OT at Armis, will present on these findings during his session, “Securing critical infrastructure (vulnerability disclosure) with Armis.” This 50-minute session is taking place on Wednesday, August 9, 2023 from 3:00-3:50pm PT at Mandalay Bay in Las Vegas. For further information, please visit: https://www.blackhat.com/us-23/sponsored-sessions/schedule/index.html#securing-critical-infrastructure-vulnerability-disclosure-with-armis-34229
Additionally, Carlos and I will jointly present during a webinar on these vulnerabilities. The webinar will take place on Wednesday, September 6th at 11am ET. Register here: https://event.on24.com/wcc/r/4279011/6F70E4737D9E7789C3C9B69953F6307A?partnerref=blog