Security experts have identified a number of vulnerabilities in Honeywell products used in high-risk industries that, if abused, may give hackers access to physical disturbance and possibly jeopardize the safety of people.
Experion distributed control system (DCS) devices from Honeywell were found to include nine vulnerabilities, according to researchers at Armis, a cybersecurity firm that specializes in asset protection.
These are digital automated industrial control systems that are used to manage sizable industrial processes in crucial sectors like the pharmaceutical and energy industries, where continuous operation and high availability are essential.
According to Armis, the vulnerabilities might allow an attacker to remotely run unauthorized code on the Honeywell server and controllers, seven of which have been assigned a critical severity rating.
To exploit the holes, an attacker would need network access, which may be obtained by taking control of any networked device, from a laptop to a vending machine.
However, the flaws permit unauthenticated access, thus an attacker might take use of them without logging into the controller.
Although there is no proof of active exploitation, Armis tells TechCrunch that hackers might use these issues to take control of the devices and change how the DCS controller functions.
“Complete outages and a lack of availability are the worst case circumstances from a commercial standpoint. However, there are worse cases, such as safety problems that could endanger lives, according to Curtis Simpson, CISO of Armis, who spoke to TechCrunch.
According to Simpson, the flaws’ nature allows an attacker to conceal these modifications from the engineering workstation that oversees the DCS controller.
“Imagine you have an operator with all the displays controlling the information from the plant, in this environment, everything is fine,” he continued. “Down below in the plant, everything is pretty much on fire,” the speaker said.
According to Armis, this presents a particular challenge for the oil and gas mining sector, where Honeywell DCS systems are used. According to Honeywell’s website, customers of the corporation include the multinational oil company Shell, the Department of Defense and NASA, as well as the biopharmaceutical company AstraZeneca.
“If you can disrupt a country’s ability to function in many different ways, you can disrupt its critical infrastructure,” Simpson warned. “This would likewise be a nightmare to recover from.
It may cost organizations millions of dollars every hour to restore if you consider how widespread this type of attack is and how little people know about this ecosystem online.
According to Armis, Honeywell was informed about the flaws in May. These flaws affect the Honeywell Experion Process Knowledge System, the LX and PlantCruise platforms, as well as the C300 DCS Controller.
The following month, Honeywell made patches available, and is urged all impacted firms to immediately adopt them.
In response to a request for comment, Caitlin E. Leopold, a spokeswoman for Honeywell, stated: “We have been working with ARMIS on this problem as part of a responsible disclosure procedure.
In order to address the issue, we have published updates and informed the affected consumers.
At this time, this vulnerability has no known exploits. Owners of Experion C300 devices should keep their process control network isolated, monitor it, and apply any fixes that are available right away.