Honeywell security system
Image: Honeywell

Security company Armis, in collaboration with operational technology company Honeywell, identified new vulnerabilities in Honeywell Experion distributed control system platforms. These vulnerabilities could potentially allow remote execution of malware on Honeywell servers and controllers, the companies said.

Tom Gol, chief information officer for research at Armis, wrote in a blog post that the vulnerability, named Crit.IX, provides access to devices and allows attackers to alter the operation of DCS controllers. He noted that the vulnerabilities enable attackers to compromise devices without requiring authentication.

Jump to:

DCS controllers comprise workstations distributed across a facility that manage processes in manufacturing, power generation, petrochemical plants and other chemical operations. Due to the vulnerability, attackers only need network access to manipulate or disrupt controllers and engineering workstations.

“Potentially any compromised IT, IoT, and OT assets on the same network as the DCS devices could be leveraged for an attack,” Gol wrote.

SEE: Engineering PCs are at high risk of attack (TechRepublic)

Legacy systems make industrial infrastructure a prime target

DCS and SCADA (supervisory control and data acquisition) systems are becoming increasingly vulnerable, according to Armis. The firm’s research team explained through email that the attraction for these critical infrastructure networks is a result of inadequately secured legacy systems, coupled with the potential for significant financial losses, making them lucrative for cybercrime and actors.

“By exploiting one of these vulnerabilities, an attacker can crash controllers in the network, resulting in lost products, unscheduled downtime, destruction of equipment, risk of physical injuries,” the researchers said.

They said leveraging a single vulnerability could achieve remote code execution on both the controller and the server, “enabling attackers to alter the operation of the controller while hiding it on the server. Such an attack can lead to the compromise of pharmaceutical badges, chemical compounds, and the disruption of power distribution to interconnected systems downstream.”

Vulnerabilities found in Experion gear

In May 2022, Armis confirmed with Honeywell that the Experion C300 controller and servers have 13 code issues, constituting nine new vulnerabilities, seven of which are critical, according to Gol.

The Armis team explained that a combination of methods may compromise the Honeywell Experion server, take control over the engineering workstation running it and use it as a stronghold to move laterally and carry out attacks within the network.

The team said that vulnerabilities in the CDA protocol could allow an attacker access to the same network segment as the controller, causing memory corruption to crash and a denial of service.

“Due to the severity of these vulnerabilities and the impact, Honeywell and Armis have been working together to investigate these findings, understand the underlying issues, and work towards a patch,” Gol wrote, adding that Honeywell has made available security patches and strongly advised all affected customers to apply these patches immediately.

3 Honeywell platforms compromised

Three Honeywell Experion DCS platforms are affected, according to Amis, compromising products in the:

  • Experion Process Knowledge System platform.
  • LX and PlantCruise platforms (Engineering Station and Direct Station).
  • C300 DCS Controller, used across all three platforms.

A significant issue is that the legacy versions of Honeywell’s CDA protocol used for communication between Honeywell Experion Servers and C300 controllers lack encryption and proper authentication mechanisms. That lack means anyone with access to the network can impersonate the controller and the server, Gol wrote. He added that issues include buffer overflows that can happen due to design flaws in the CDA protocol, making it challenging to control data boundaries.

How bad are operational technology attacks? Ask Colonial Pipeline

“Over the past few years we have seen a steady increase in notable attacks and vulnerabilities on Operational Technology (OT) targets highlighting the increasing risks faced by critical infrastructure systems,” Gol said, citing the infamous Colonial Pipeline ransomware attack in May 2021 and the 2022 attack on an Iranian steel mill by the “Predatory Sparrow” group, which claimed its attack caused a major fire.

SEE: Ransomware attacks increased 91% in March (TechRepublic)

Steps to ameliorate the issues

The Armis research team said that due to the severity of these vulnerabilities and their impact, Honeywell and Armis have been working together to investigate these findings, understand the underlying issues and develop patches.

“Honeywell has made available security patches for all 9 vulnerabilities and strongly advises all affected organizations to promptly apply them,” said the research team via email. They said Honeywell Customers can access and apply patches by logging into and searching through the Technical Publications section.

“Armis will be diving deeper, driving further discussions around these vulnerabilities over the next few weeks and months,” they said.