Control Loop OT Cybersecurity Briefing for 08.31.22

News Roundup

At a glance.

Cl0p ransomware gang attempts to extort the wrong water company.
DOE invests in securing the US power grid.
What the ransomware gangs want, and where they’re getting it.
Industroyer2 analysis.
Montenegro works to recover from Russian cyber offensive.
DDoS attack against Energoatom’s website.
NSTAC recommends cataloging Federal OT assets.
Chemical sector cybersecurity.
CISA's recent ICS vulnerability advisories.

Ransomware gang attempts to extort the wrong water company.

UK water supplier South Staffordshire Water has sustained an apparent ransomware attack that disrupted its IT systems, though the company says the attack hasn’t affected its ability to supply safe water to its customers. The company stated, “We are experiencing disruption to our corporate IT network and our teams are working to resolve this as quickly as possible. It is important to stress that our customer service teams are operating as usual. We are working closely with the relevant government and regulatory authorities and will keep them, as well as our customers, updated as our investigations continue.”

After the attack, however, the Cl0p ransomware gang claimed that it had gained access to SCADA systems at Thames Water, the UK’s largest water supplier. Thames Water called these claims a hoax, and it seems Cl0p was confused. Once the Cl0p gang began publishing stolen information, it became apparent that the data had actually been taken from South Staffordshire Water. Cl0p has since corrected their error, and is now attempting to extort South Staffordshire Water.

There have been some recent developments in this story, provided by Dragos. Dragos assesses with moderate confidence that the leaked data from South Staffordshire Water was indeed obtained by the Cl0p ransomware group. Two separate images serve as evidence of Cl0p’s claim of access to SSW’s operational technology (OT) and appear to be genuine screenshots of an Opus SCADA Master station Human Machine Interface (HMI) taken two days after the start of Cl0p’s data exfiltration. Dragos says, "We can't verify the Cl0p ransomware group's intent to specifically gain access to an OT environment, but they appear to have had sufficient access in the environment to conduct further operations in the environment, if desired." The assessment is significant, as ransomware gangs can't always be taken at their word when they claim to have succeeded in hitting a target. Cl0p in this case misfired in that they misidentified the specific utility they hit. But Cl0p does appear to have been behind the incident at South Staffordshire Water.

Cl0p struck a high moral tone in their extortion notes. The English may be broken, but the message is clear, if not fully convincing. “Clop is not political organization and we do not attack critical infrastructure or health organizations. We decide that we do not encrypt this company,” that is, Thames Water, or South Staffordshire Water, “but we show them that we have access to more of 5Tb of data. Every system including SCADA and these system which control chemicals in water. If you are shocked it is good.”

Why water, and why now? There’s a drought, the Wall Street Journal notes. Johan Claessens, security officer at Belgian water supplier Water-link, told the Journal, "We don’t have the luxury to have suboptimal production for an extended period of time. We really need every drop of water." Ilia Kolochenko, founder of ImmuniWeb, commented, “[While] Europe and other regions are suffering from the unprecedented wildfires and catastrophic drought, nefarious cybercriminals may purposely target critical national infrastructure in sophisticated cyber-attacks. In the case of financially motivated attacks designed to obtain a ransom, wrongdoers have significantly more chances of getting paid, by cruelly exploiting people in extreme need.” The greater the need, the higher the likelihood that people in extremis will be willing to pay up.

There are some well-established best practices that water utilities and other industrial operations can adopt to protect themselves from attacks of this kind. Dragos recommends that, for data involving key weaknesses, critical operational details, resiliency, physical security, and cybersecurity, organizations should consider implementing additional safeguards. Such safeguards might include encrypted archives with credentials that are separate from user active directory account credentials, or storage media located in protected network enclaves that are both hardened and monitored. Organizations should determine whether they have effective data cleanup policies and execution practices. Are sensitive files shared for legitimate business purposes such as maintenance and upgrade projects removed from data shares in a timely manner, or do they remain in directory structures in perpetuity? Are critical file types or shared files tagged and monitored for access and exfiltration?

DOE invests in securing the US power grid.

On August 18th the US Department of Energy (DOE) announced it’s putting $45 million toward cyber technology aimed at safeguarding the nation’s power infrastructure from cyber aggression, providing funding for up to fifteen research endeavors that focused on reducing cyber risks. These research projects are also intended to bolster relationships between energy sector utilities, vendors, and universities. Energy Secretary Jennifer Granholm issued a statement explaining, “As DOE builds out America’s clean energy infrastructure, this funding will provide the tools for a strong, resilient, and secure electricity grid that can withstand modern cyberthreats and deliver energy to every pocket of America.”

The Hill notes that this is just the latest move signaling the DOE’s efforts to improve the cybersecurity of the energy grid. In April, the agency announced a $12 million investment in six research projects focused on using anomaly detection, artificial intelligence, and machine learning to secure critical infrastructure including the power sector, and in July House legislators passed a bill establishing a DOE grant program for graduate students and postdoctoral researchers studying cybersecurity and energy infrastructure.

Kinetic attacks affect Ukrainian nuclear power plant.

A kinetic incident at a Ukrainian nuclear plant offers a reminder of the risk of potential cyberattacks. Reuters reports that fires caused by shelling near the Zaporizhzhia nuclear power plant cut power lines to the reactor complex, although backup generators prevented a disaster. Ukrainian president Zelenskiy stated, "If our station staff had not reacted after the blackout, then we would have already been forced to overcome the consequences of a radiation accident. Russia has put Ukraine and all Europeans in a situation one step away from a radiation disaster." While this incident was caused by kinetic activity, it highlights the potential consequences of cyberattacks that target power grids.

What the ransomware gangs want, and where they’re getting it.

Ransomware continues to present a threat to industrial operations. What are the gangs interested in, these days? On Tuesday, August 9th, Dragos released its Industrial Ransomware Analysis for the second quarter of 2022. While the threat actors’ interests and targeting can shift, the report includes a quick rundown of what the opposition’s interests look like now.

Some of the threat actors target by sector. Dragos describes three of these:

“Karakurt has been targeting mainly transportation entities.”
“VICE SOCIETY has been targeting only automotive manufacturing entities.”
“Lockbit 2.0 is the only group that targeted the pharmaceutical, mining, and water treatment sectors.”

Others show a geographical focus:

“Moses Staff has only targeted Israel.”
“Black Basta, Ransomhouse, and Everest have only targeted entities in the US and Europe.”
“Quantum and Lorenzo have only targeted North American-based entities.”

And, finally, the threat actors shift. Old ones grow quiescent and new ones start making noise. LAPSUS$, CLOP LEAKS, and Rook were active in the first quarter, but not now. Black Basta, Midas Leaks, Pandora, and Ransomhouse have been busy in the second quarter, but were nowhere to be seen in the first.

In general, ransomware attacks were fewer in the second quarter than they had been in the first, but on the other hand the more recent attacks were more consequential.

Dragos closes its report with a prediction:

“Due to the changes in ransomware groups themselves, Dragos assesses with moderate confidence that new ransomware groups will appear in the next quarter, whether as new or reformed ones. Dragos assesses with moderate confidence that ransomware with destructive capability will continue to target OT operations, given the continuous political tension between Russia and western countries.”

The key aspect of the rising ransomware threat to OT systems is the destructive capability that’s been on display elsewhere in Russia’s hybrid war against Ukraine. Wiper attacks began on February 24th, shortly before Russian troops crossed the line of departure in their invasion of Ukraine. They enjoyed some success against telecommunications targets, but these attacks seem to have peaked in February and March. By April they seem largely to have ceased to have much effect, and have been largely displaced by denial nuisance-level attacks by hacktivist front organizations and by familiar cyber espionage campaigns run by the usual intelligence services: the SVR, the FSB, and the GRU. But it would be unwise to be complacent. Russia has demonstrated a capability to wage destructive cyber war, and assuming that Moscow has given up would be folly.

Industroyer2 analysis.

One of the mysteries of Russia’s war against Ukraine has been the failure of the Russian cyber operators to live up to the high expectations they set back in 2016 when they used a cyber attack to shut down significant portions of the Ukrainian power grid. Apparently it wasn’t for want of trying.

At Black Hat 2022 earlier this month, ESET researchers Robert Lipovsky and Anton Cherepanov gave a presentation on Industroyer2, a successor to the Industroyer malware used to cause a power blackout in Kyiv in December 2016. Industroyer2 was deployed by the Russian threat actor Sandworm against a Ukrainian energy company in April 2022. While Industroyer2 was technically more sophisticated than the original malware, it failed to trigger a blackout.

“The attack was thwarted thanks to a quick response by the defenders at the targeted company, the work of CERT-UA, and our assistance,” Lipovsky said. “But although no blackout took place, it was still a big deal, because had the attack been successful, theoretically, more than two million people could have been left in the dark.” He continued, “So, in our opinion, this was the most significant cyberattack—even if unsuccessful—during the war thus far.”

Anton Cherepanov added that the attackers also made a mistake in the timing of the wiper stage of their attack, which they launched just before 6 PM on a Friday.

Cherepanov stated, “These attackers missed one very important thing: That Friday is a very short working day, and most people end their work at 5 PM or even 4 PM, so at 5:58 PM, 95% of workstations were switched off, so they weren’t wiped.”

This should serve, by the way, as a useful reminder that offensive cyber operations are harder for the attacker than the defender often imagines. Your well-thought through technical attack might fizzle because you’ve forgotten something simple, like maybe when it is that the people you’re messing with actually knock off work. After all, you, the attacker, may be pulling all-nighters fueled on whatever the GRU’s equivalent of pizza and Mountain Dew might be, and you’ve forgotten that the factory whistle blows early in Kyiv on Friday afternoon. What? Isn’t everyone working 24 and 7? Well, no, and so your elegant wiper winds up wiping very little.

Give some credit, too, to the defenders and the people who’ve rendered them assistance. Reuters reports remarks delivered at the Black Hat conference in Las Vegas on August 10th by Victor Zhora, deputy head of Ukraine's State Special Communications Service. Zhora, whose appearance was little heralded and was widely reported as a “surprise” to those in attendance, said that detection of cyberattacks had more than tripled since the war began in February, and that they became particularly intense in late March and early April.

Reuters summarizes Zhora as saying, "Ukraine faced a number of 'huge incidents' in cyberspace from the end of March to the beginning of April, Zhora said, including the discovery of the 'Industroyer2' malware which could manipulate equipment in electrical utilities to control the flow of power." Zhora also acknowledged the pro bono cloud services provided by Microsoft, Amazon and Google, which have helped the Ukrainian government back data up in physically safe servers abroad.

Montenegro works to recover from Russian cyber offensive.

A cyberattack against Montenegrin infrastructure, which the government has attributed to Russia, appears to have been both extensive and consequential. "Targets include electricity and water supply systems, transportation services, online portals that citizens use to access various state services, and more," BleepingComputer writes. Power plants have switched to manual operations, and many government IT services have been taken offline to contain the effects of the attack. The country's Minister of Public Administration was at pains to reassure citizens that their data were safe: “Although certain services are currently temporarily disabled for security reasons, the security of the accounts of citizens and business entities and their data is not in any way endangered.” Given the kinetic action on the ground, Russian cyberattacks have recently seemed more aimed at punishing nations sympathetic to Ukraine than directed against Ukrainian networks proper.

DDoS attack against Energoatom’s website.

Ukraine’s state-owned nuclear power company Energoatom sustained a distributed denial-of-service (DDoS) attack against its website for about three hours on Monday, August 15th. The corporation said the attack had little effect on visitors to the website, and no effect on its power plants. According to the Record, the attack was launched by the Russian hacktivist group People’s Cyber Army. It was a nuisance-level attack that had only limited impact, but such DDoS attacks can serve as misdirection for more serious and damaging campaigns.

NSTAC recommends cataloging Federal OT assets.

The US President's National Security Telecommunications Advisory Committee (NSTAC) has recommended that the Cybersecurity and Infrastructure Security Agency (CISA) require all Federal civilian agencies inventory all of their OT assets, Meritalk reports. The Committee stated:

"CISA should issue a Binding Operational Directive (BOD), similar to what Section 1505 of the Fiscal Year 2022 National Defense Authorization Act requires for the DoD, that requires executive civilian branch departments and agencies to maintain a real-time, continuous inventory of all OT devices, software, systems, and assets within their area of responsibility, including an understanding of any interconnectivity to other systems. An up-to-date inventory should be required as part of each department or agency’s annual budget process. Once federal agencies clearly understand the vast and interconnected nature of their OT devices and infrastructure, they can then make risk-informed decisions about how to prioritize their cybersecurity budgets to best protect the most consequential of those assets. The White House should mandate periodic reports from CISA on department and agency implementation of this BOD to ensure progress is made."

Chemical sector cybersecurity.

Nextgov reports that CISA is turning its attention to cybersecurity in the chemical sector with a 100-day sprint focused on improving the sector's resilience. CISA director Jen Easterly said at a conference last week that she was already impressed with the chemical sector's approach to this issue. Easterly said, "It was really telling to me that even back in 2009, how robust the standards were, laid out for both physical security but also cyber security. It was before cyber was really a thing that this community really understood the importance of a collective approach."

CISA's recent ICS vulnerability advisories.

The Cybersecurity and Infrastructure Security Agency (CISA) on August 4th, 2022, released two Industrial Control System (ICS) advisories, Digi ConnectPort X2D ("mitigations for an Execution with Unnecessary Privileges vulnerability in Digi ConnectPort X2D, a connection gateway") and Inductive Automation Ignition (Update A) ("mitigations for an Improper Restriction of XML External Entity Reference vulnerability in versions of Inductive Automation Ignition software").

On August 9th, 2022, CISA released three Industrial Control Systems Advisories, for Mitsubishi Electric GT SoftGOT2000 ("mitigations for Infinite Loop and OS Command Injection vulnerabilities"), Emerson ControlWave ("mitigations for an Insufficient Verification of Data Authenticity vulnerabilities"), and Emerson OpenBSI ("mitigations for Use of Broken or Risky Cryptographic Algorithm and Use of Hard-coded Cryptographic Key vulnerabilities").

A very large tranche of advisories was issued on August 11th, 2022, when CISA released an unusually large number of ICS security advisories, twenty eight in all. The affected systems include:

Siemens Simcenter STAR-CCM ("mitigations for an Exposure of Sensitive Information to an Unauthorized Actor vulnerability")
Siemens Teamcenter ("mitigations for Command Injection and Infinite Loop vulnerabilities")
Schneider Electric EcoStruxure EcoStruxure Process Expert SCADAPack RemoteConnect for x70 ("mitigations for Heap-based Buffer Overflow, Wrap or Wraparound, Classic Buffer Overflow, and Out-of-bounds Write vulnerabilities")
Emerson ROC800, ROC800L and DL8000 ("mitigations for an Insufficient Verification of Data Authenticity vulnerability"), Siemens SICAM A8000 Web Server Module ("mitigations for an Improper Access Control vulnerability")
Siemens SICAM TOOLBOX II ("mitigations for a Use of Hard-coded Credentials vulnerability")
Siemens SCALANCE ("mitigations for Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’), Allocation of Resources Without Limits or Throttling, and Basic Cross Site Scripting vulnerabilities")
Siemens SIMATIC S7-400 (Update A) ("mitigations for an Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability")
Siemens Industrial Products Intel CPUs (Update E) ("mitigations for a Missing Encryption of Sensitive Data vulnerability")
ICSA-21-194-07 Siemens Industrial Products LLDP (Update C) ("mitigations for Classic Buffer Overflow and Uncontrolled Resource Consumption vulnerabilities")
Siemens Linux-based Products (Update I) ("mitigations for a Use of Insufficiently Random Values vulnerability")
Siemens Datalogics File Parsing Vulnerability (Update A) ("mitigations for a Heap-based buffer Overflow vulnerability")
Siemens S7-400 CPUs (Update B) ("mitigations for an Improper Input Validation vulnerability")
Siemens SIMATIC Software Products (Update B) ("mitigations for an Incorrect Permission Assignment for Critical Resource vulnerability")
Siemens SIMATIC S7-1200 and S7-1500 CPU Families (Update B) ("mitigations for Use of a Broken or Risky Cryptographic Algorithm and Missing Support for Integrity Check vulnerabilities")
Baxter Sigma Spectrum Infusion Pumps (Update B) ("mitigations for Use of Hard-coded Password, Cleartext Transmission of Sensitive Data, Incorrect Permission Assignment for Critical Resource, and Operation on a Resource After Expiration or Release vulnerabilities")
Siemens Industrial Products with OPC UA (Update H) ("mitigations for an Uncaught Exception vulnerability")
Siemens PROFINET Stack Integrated on Interniche Stack (Update C) ("mitigations for an Uncontrolled Resource Consumption vulnerability")
Siemens TIA Portal (Update F) ("mitigations for a Path Traversal vulnerability")
Siemens Teamcenter (Update A) ("mitigations for a Use of Hard-coded Credentials vulnerability")
Siemens Industrial Devices using libcurl (Update B), ("mitigations for a Use After Free vulnerability")
Siemens SIMATIC WinCC and PCS (Update C), ("mitigations for Exposure of Sensitive Information to an Unauthorized Actor and Insertion of Sensitive Information into Externally Accessible File or Directory vulnerabilities")
Siemens Teamcenter (Update B), ("mitigations for Stack-based Buffer Overflow and Improper Restriction of XML External Entity Reference vulnerabilities")
Siemens Industrial Products (Update B) ("mitigations for an Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability")
Siemens OpenSSL Vulnerabilities in Industrial Products (Update B) ("mitigations for a NULL Pointer Dereference vulnerability")
Siemens RUGGEDCOM ROS (Update A) ("mitigations for an Improper Control of Generation of Code vulnerability")
Siemens Simcenter Femap and Parasolid (Update A) ("mitigations for an Out-of-bounds Read vulnerability")
Siemens SRCS VPN Feature in SIMATIC CP Devices (Update A) ("mitigations for Heap-based Buffer Overflow, Command Injection, and Code Injection vulnerabilities").

Another large (but not that large) set of advisories was issued on August 16th. CISA issued eight industrial control system (ICS) security advisories, for Yokogawa CENTUM Controller FCS ("mitigations for a Denial of Service vulnerability"), LS ELEC PLC and XG5000 ("mitigations for an Inadequate Encryption Strength vulnerability"), Delta Industrial Automation DRAS ("mitigations for an Improper Restriction of XML External Entity Reference vulnerability"), Softing Secure Integration Server ("mitigations for Out-of-bounds Read, Uncontrolled Search Path Element, Improper Authentication, Relative Path Traversal, Cleartext Transmission of Sensitive Information, NULL Pointer Dereference, and Integer Underflow vulnerabilities"), BR Industrial Automation Automation Studio 4 ("mitigations for an Unrestricted Upload of File with Dangerous Type vulnerability"), Emerson Electric Proficy Machine Edition ("mitigations for Missing Support for Integrity Check, Improper Access Control, Unrestricted Upload of File with Dangerous Type, Improper Verification of Cryptographic Signature, Insufficient Verification of Data Authenticity, and Path Traversal: ‘\..\filename’ vulnerabilities"), Sequi PortBloque S ("mitigations for Improper Authentication and Improper Authorization vulnerabilities"), and Siemens Industrial Products with OPC UA (Update B) ("mitigations for various Siemens Industrial Products with OPC UA products").

On August 23rd, 2022, CISA released seven additional ICS advisories, for ARC Informatique PcVue ("mitigations for a Cleartext Storage of Sensitive Information vulnerability"), Delta Industrial Automation DIALink ("mitigations for an Use of Hard-coded Cryptographic Key vulnerability"), myScada Pro ("mitigations for a Command Injection vulnerability"), Measuresoft ScadaPro Server ("mitigations for an Out-of-bounds Write vulnerability"), Measuresoft ScadaPro Server and Client ("mitigations for Untrusted Pointer Dereference, Stack-based Buffer Overflow, Use After Free, and Link Following vulnerabilities"), Hitachi Energy RTU500 ("mitigations for a Stack-based Buffer Overflow vulnerability"), and Illumina Local Run Manager (Update A) ("mitigations for Path Traversal, Unrestricted Upload of File with Dangerous Type, Improper Access Control, and Cleartext Transmission of Sensitive Information vulnerabilities").

A single advisory was issued on August 25th, for a remote code vulnerability in FATEK Automation FvDesigner. And on August 30th, CISA released twelve 12 Industrial Control Systems Advisories, for Hitachi Energy FACTS Control Platform (FCP) Product ("mitigations for Inconsistent Interpretation of HTTP Requests, Use After Free, Classic Buffer Overflow, Integer Underflow, Improper Certificate Validation, [and] Observable Discrepancy vulnerabilities"), Hitachi Energy GWS ("mitigations for HTTP Requests, Use After Free, Classic Buffer Overflow, Integer Underflow, Improper Certificate Validation, [and] Observable Discrepancy vulnerabilities"), Hitachi Energy MSM ("mitigations for a Reliance on Uncontrolled Component vulnerability"), Hitachi Energy RTU500 series ("mitigations for an Improper Input Validation vulnerability"), Fuji Electric D300win ( "mitigations for Out-of-bounds Read and Write-what-where Condition vulnerabilities "), Honeywell ControlEdge ("mitigations for a Missing Authentication for Critical Function vulnerability"), Honeywell Experion LX ("mitigations for a Missing Authentication for Critical Function vulnerability"), Honeywell Trend Controls ("mitigations for a Cleartext Transmission of Sensitive Information vulnerability"), Omron CX-Programmer ("mitigations for a Use After Free vulnerability"), PTC Kepware KEPServerEX ("mitigations for Heap-Based Buffer Overflow and Stack-Based Buffer Overflow vulnerabilities"), Sensormatic Electronics iSTAR ("mitigations for a Command Injection vulnerability"), and Mitsubishi Electric Multiple Factory Automation Products (Update B) ("mitigations for Infinite Loop and OS Command Injection vulnerabilities").

Dragos Setpoint

Calling all Asset Owners and Operators: apply to attend the Dragos Industrial Security Conference 2022.

Mark your calendar for Saturday, November 5, 2022, for the next Dragos Industrial Security Conference (DISC), 100% free as a thank you to the ICS asset owner and operator community. You’ll hear ICS research on threats, malware, incidents, and vulnerabilities conducted by our intelligence and threat operations teams. Visit http://dragos.com/disc-2022 to learn more, and register. DISC is the exclusive event for industrial asset owners and operators in the electric, oil and gas, chemicals, food and beverage, pharmaceutical, manufacturing, mining, and other sectors. You’ll get technical, in-depth research findings and insights from Dragos experts and ICS practitioners on the front lines. Register your interest today.

On the Podcast

Pipeline cybersecurity mitigation actions, contingency planning, and testing.

Bryson Bort from SCYTHE joins us to discuss threat emulation for critical infrastructure, season 3 of Hack the Plant with the Atlantic Council, and the ICS Village at Def Con in collaboration with CISA. Listen now.

Executive discussions and how to communicate your cyber risks to the Board.

Jason Christopher, Director of Cyber Risk at Dragos, discusses intelligent boardroom decisions and how to use threat-informed industrial risk management. Listen now.

Attacks, Threats, and Vulnerabilities

Vulnerable U.S. electric grid facing threats from Russia and domestic terrorists (CBS News) Bill Whitaker reports that a coordinated attack on a relatively small number of critical substations could plunge the U.S. into darkness.

Cyberattack Raises Pressure on European Water Providers During Drought (Wall Street Journal) A cyberattack on a British company that supplies drinking water to 1.6 million customers has raised security concerns about the vulnerability of such utilities across drought-stricken Europe.

Zelenskiy says crisis averted as Russian-held Ukraine nuclear plant regains power (Reuters) President Volodymyr Zelenskiy said the world narrowly avoided a radiation disaster on Thursday as the last regular line supplying electricity to Ukraine's Russian-held Zaporizhzhia nuclear power plant was restored hours after being cut.

Ukrainian fears run high over fighting near nuclear plant (AP NEWS) Ukrainians are once again anxious and alarmed about the fate of a nuclear power plant in a land that was home to the world’s worst atomic accident in 1986 at Chernobyl.

Ukraine war: Europe 'one step away from nuclear disaster', warns Zelensky (The Telegraph) Volodymyr Zelensky said the world narrowly avoided a radiation disaster as electricity to the Zaporizhzhia nuclear power plant was cut for hours because of Russian shelling in the area - allegations that Moscow denied.

Zaporizhzhia nuclear plant: The real worst-case scenario (The Telegraph) Up-to-date failsafes make a possible meltdown ‘extremely difficult to imagine’ - but the danger posed by missile attacks remains unclear

Revealed: Russian plan to disconnect Zaporizhzhia nuclear plant from grid (the Guardian) Plan risks catastrophic failure of cooling systems, says head of Ukraine’s atomic energy company

Russians are torturing us so we don't talk to UN, Ukraine nuclear plant workers say (The Telegraph) Staff say occupying forces don't want them to disclose safety risks ahead of inspection at Zaporizhzhia, Europe's largest power station

HONEYWELL CYBERSECURITY RESEARCH REVEALS 52% OF CYBER THREATS TARGETED AT REMOVABLE MEDIA (PR Newswire) According to a report released today by Honeywell (NASDAQ: HON), the threat of USB-borne malware continues to be a serious concern. Data from...

Targeted attack on industrial enterprises and public institutions (Kaspersky ICS-CERT) The attackers penetrate the enterprise network using carefully crafted phishing emails, some of which contain information that is specific to the organization under attackand is not publicly available. This could indicate that the attackers did preparatory work in advance (they may have obtained the information in earlier attacks on the same organization or its employees or on other organizations or individuals associated with the victim organization).

Dragos Industrial Ransomware Analysis: Q2 2022 (Dragos | Industrial (ICS/OT) Cyber Security) Based on our ongoing threat analysis, ransomware groups continue to target industrial organizations & disrupt operational technology (OT) operations in Q2 2022.

Dragos: 125 ransomware attacks on industrial systems in Q2 after Conti shutdown (The Record by Recorded Future) Ransomware attacks on industrial systems continued unabated in the second quarter of the year according to data collected by security company Dragos, which counted 125 incidents during that time.

One of 5G’s Biggest Features Is a Security Minefield (Wired) New research found troubling vulnerabilities in the 5G platforms carriers offer to wrangle embedded device data.

Hackers attack UK water supplier but extort wrong victim (BleepingComputer) South Staffordshire Water, a company supplying 330 million liters of drinking water to 1.6 consumers daily, has issued a statement confirming IT disruption from a cyberattack.

South Staffordshire Water says it was target of cyber attack as criminals bungle extortion attempt (Sky News) The parent company for Cambridge Water and South Staffs Water stresses it is still supplying safe water for customers.

OT Security Firm Warns of Safety Risks Posed by Alerton Building System Vulnerabilities (SecurityWeek) Potentially serious vulnerabilities have been found in a building management system made by Alerton, a brand of industrial giant Honeywell.

Windows-based HMIs are too slow for monitoring process sensors or plant equipment anomalies (Control Global) Microsoft Windows has been widely adopted as a Human-Machine Interface (HMI) for Operational Technology (OT) networks which includes control systems, process sensors, and equipment monitoring. Why? Because it was there and available, not because it was optimized for the task. Windows has proven to be a great operating system for business systems and information exchange between Information Technology (IT) and OT organizations. But as an HMI to provide detailed engineering data, not so much.

Over 9,000 VNC servers exposed online without a password (BleepingComputer) Researchers have discovered at least 9,000 exposed VNC (virtual network computing) endpoints that can be accessed and used without authentication, allowing threat actors easy access to internal networks.

A New Jailbreak for John Deere Tractors Rides the Right-to-Repair Wave (Wired) A hacker has formulated an exploit that provides root access to two popular models of the company’s farm equipment.

Ski-Doo maker BRP resumes operations following cyber attack; shares fluctuate (MarketWatch) BRP has not revealed specific details of the cyber assault, but a cybersecurity expert thinks it could be a ransomware attack.

Patches, Mitigations, and Updates

Digi ConnectPort X2D (CISA) 1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Digi International, Inc. Equipment: ConnectPort X2D Gateway Vulnerability: Execution with Unnecessary Privileges 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute malicious actions resulting in code execution.

Inductive Automation Ignition (CISA) 1. EXECUTIVE SUMMARY CVSS v3 8.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Inductive Automation Equipment: Ignition Vulnerability: Improper Restriction of XML External Entity Reference 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to obtain file contents.

Mitsubishi Electric GT SoftGOT2000 (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric Equipment: GT SoftGOT2000 Vulnerabilities: Infinite Loop, OS Command Injection 2. RISK EVALUATION Successful exploitation of these vulnerabilities could create a denial-of-service condition or enable arbitrary code execution.

Siemens Simcenter STAR-CCM+ (CISA) 1. EXECUTIVE SUMMARY CVSS v3 5.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Simcenter STAR-CCM+ Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor 2. RISK EVALUATION  Simcenter STAR-CCM+ contains an information disclosure vulnerability when using the Power-on-Demand public license server.

Siemens Teamcenter (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.6 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: Siemens Equipment: Teamcenter Vulnerabilities: Command Injection, Infinite Loop 2. RISK EVALUATION Successful exploitation of these vulnerabilities could lead to command injection and denial-of-service condition.

Schneider Electric EcoStruxure, EcoStruxure Process Expert, SCADAPack RemoteConnect for x70 (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: EcoStruxure, EcoStruxure Process Expert, SCADAPack RemoteConnect for x70 Vulnerabilities: Heap-based Buffer Overflow, Wrap or Wraparound, Classic Buffer Overflow, Out-of-bounds Write 2.

Emerson ROC800, ROC800L and DL8000 (CISA) 1. EXECUTIVE SUMMARY CVSS v3 6.3 ATTENTION: High attack complexity Vendor: Emerson Equipment: ROC800, ROC800L and DL8000 Vulnerability: Insufficient Verification of Data Authenticity CISA is aware of a public report, known as “OT:ICEFALL” that details vulnerabilities found in multiple operational technology (OT) vendors.

Siemens SICAM TOOLBOX II (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.9 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SICAM TOOLBOX II Vulnerability: Use of Hard-coded Credentials  2. RISK EVALUATION  Successful exploitation of this vulnerability results in full access to the database.

Siemens SCALANCE (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SCALANCE Vulnerabilities: Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’), Allocation of Resources Without Limits or Throttling, Basic Cross Site Scripting 2.

Siemens SIMATIC S7-400 (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SIMATIC S7-400 Vulnerability: Improper Restriction of Operations within the Bounds of a Memory Buffer 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to create a denial-of-service condition.

Siemens Industrial Products Intel CPUs (Update A) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Low attack complexity Vendor: Siemens Equipment: SIMATIC, SINUMERIK Vulnerabilities: Missing Encryption of Sensitive Data 2. UPDATE INFORMATION This updated advisory is a follow-up to the original advisory titled ICSA-21-222-05 Siemens Industrial Products Intel CPU that was published August 10, 2021, to the ICS webpage on www.cisa.gov/uscert.

Siemens Industrial Products LLDP (Update B) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Industrial Products Vulnerabilities: Classic Buffer Overflow, Uncontrolled Resource Consumption 2.

Siemens Linux-based Products (Update G) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.4 ATTENTION: Exploitable remotely Vendor: Siemens Equipment: Linux based products Vulnerability: Use of Insufficiently Random Values 2. UPDATE INFORMATION This updated advisory is a follow-up to the advisory update titled ICSA-21-131-03 Siemens Linux-based Products (Update F) that was published November 11, 2021, to the ICS webpage at www.cisa.gov/uscert.

Siemens Datalogics File Parsing Vulnerability (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Siemens Equipment: Teamcenter Visualization and JT2Go Vulnerability: Heap-based buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could crash a system or potentially lead to arbitrary code execution if a user opens a malicious PDF file.

Siemens S7-400 CPUs (Update A) (CISA) This updated advisory is a follow-up to the advisory update titled ICSA-18-317-02 Siemens S7-400 CPUs (Update A) that was published May 14, 2019, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for an Improper Input Validation vulnerability in versions of SIMATIC S7-400 products.

Siemens SIMATIC Software Products (Update B) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.3 ATTENTION: Low attack complexity Vendor: Siemens Equipment: SIMATIC Software Products Vulnerability: Incorrect Permission Assignment for Critical Resource 2. UPDATE INFORMATION This updated advisory is a follow-up to the original advisory titled ICSA-21-194-06 Siemens SIMATIC Software Products (Update A) that was published July 13, 2021, to the ICS webpage on cisa.gov/ics

Siemens SIMATIC S7-1200 and S7-1500 CPU Families (Update B) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 5.3 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Siemens Equipment: SIMATIC S7-1200 and S7-1500 CPU families Vulnerabilities: Use of a Broken or Risky Cryptographic Algorithm, Missing Support for Integrity Check 2.

Baxter Sigma Spectrum Infusion Pumps (Update B) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 8.6 ATTENTION: Exploitable remotely/low attack complexity Vendor: Baxter Equipment: Sigma Spectrum Infusion Pumps Vulnerabilities: Use of Hard-coded Password, Cleartext Transmission of Sensitive Data, Incorrect Permission Assignment for Critical Resource, Operation on a Resource After Expiration or Release 2.

Siemens Industrial Products with OPC UA (Update H) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Siemens Equipment: SIMATIC, SINEC-NMS, SINEMA, SINEMURIK Industrial Control Products with OPC UA Vulnerability: Uncaught Exception 2.

Siemens PROFINET Stack Integrated on Interniche Stack (CISA) 1. EXECUTIVE SUMMARY CVSS v3 5.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: PROFINET Stack Integrated on Interniche Stack Vulnerability: Uncontrolled Resource Consumption 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a denial-of-service condition.

Siemens TIA Portal (Update C) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low skill level to exploit Vendor: Siemens Equipment: TIA Portal Vulnerability: Path Traversal 2. UPDATE INFORMATION This updated advisory is a follow-up to the advisory update titled ICSA-20-014-05 Siemens TIA Portal (Update B) that was published January 12, 2021, to the ICS webpage at www.cisa.gov/uscert/ics.

Siemens Teamcenter (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.9 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Teamcenter Vulnerability: Use of Hard-coded Credentials 2. RISK EVALUATION Successful exploitation of this vulnerability could lead to remote code execution with elevated permissions.

Siemens Industrial Devices using libcurl (CISA) 1. EXECUTIVE SUMMARY CVSS v3 8.1 ATTENTION: Exploitable remotely Vendor: Siemens Equipment: Industrial devices using libcurl Vulnerabilities: Use After Free 2. RISK EVALUATION Successful exploitation of these vulnerabilities could crash and allow an attacker to interfere with the affected products in various ways.

Siemens SIMATIC WinCC and PCS (CISA) 1. EXECUTIVE SUMMARY CVSS v3 6.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SIMATIC WinCC and PCS Vulnerabilities: Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Externally-Accessible File or Directory 2.

Siemens Teamcenter (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Teamcenter Vulnerabilities: Stack-based Buffer Overflow, Improper Restriction of XML External Entity Reference 2. RISK EVALUATION Successful exploitation of these vulnerabilities may lead the binary to crash or allow an attacker to view files on the application server filesystem.

Siemens Industrial Products (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: OPC Foundation Local Discovery Server of several industrial products Vulnerability: Improper Restriction of Operations within the Bounds of a Memory Buffer 2. RISK EVALUATION Successful exploitation of this vulnerability could cause a denial-of-service condition on the service or the device.

Siemens OpenSSL Vulnerabilities in Industrial Products (CISA) 1. EXECUTIVE SUMMARY CVSS v3 5.9 ATTENTION: Exploitable remotely/high attack complexity Vendor: Siemens Equipment: Siemens Industrial Products Vulnerability: NULL Pointer Dereference 2. RISK EVALUATION Successful exploitation of this vulnerability may allow an unauthenticated attacker to cause a denial-of-service condition if a maliciously crafted renegotiation message is sent.

Siemens RUGGEDCOM ROS (CISA) 1. EXECUTIVE SUMMARY CVSS v3 8.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: RUGGEDCOM ROS Vulnerability: Improper Control of Generation of Code 2. RISK EVALUATION Successful exploitation of this vulnerability could cause malicious behavior through legitimate user accounts accessing certain web resources on affected devices.

Simcenter Femap and Parasolid (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Siemens Equipment: Simcenter Femap and Parasolid Vulnerability: Out-of-bounds Read 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to perform remote code execution in the context of the current process of the application through an out-of-bounds read.

Siemens SRCS VPN Feature in SIMATIC CP Devices (CISA) 1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SIMATIC CP Devices Vulnerabilities: Heap-based Buffer Overflow, Command Injection, Code Injection 2.

Yokogawa CENTUM Controller FCS (CISA) 1. EXECUTIVE SUMMARY CVSS v3 6.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Yokogawa Equipment: CENTUM VP & CS 3000 Controller FCS Vulnerability: Denial of Service 2. RISK EVALUATION Successful exploitation of this vulnerability could crash the affected device, resulting in a denial-of-service condition.

LS ELECTRIC PLC and XG5000 (CISA) 1. EXECUTIVE SUMMARY CVSS v3 6.5 ATTENTION: Exploitable remotely Vendor: LS Electric, LS Industrial Systems (LSIS) Co. Ltd Equipment: LS ELEC PLC and XG5000 Vulnerability: Inadequate Encryption Strength 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to decrypt credentials and gain full access to the affected programmable logic controller (PLC).

Delta Industrial Automation DRAS (CISA) 1. EXECUTIVE SUMMARY CVSS v3 5.5 ATTENTION: Low attack complexity Vendor: Delta Electronics Equipment: Delta Robot Automation Studio (DRAS) Vulnerability: Improper Restriction of XML External Entity Reference. 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to read and exfiltrate sensitive information from the affected host machine.

Softing Secure Integration Server (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Softing Equipment: Secure Integration Server Vulnerabilities: Out-of-bounds Read, Uncontrolled Search Path Element, Improper Authentication, Relative Path Traversal, Cleartext Transmission of Sensitive Information, NULL Pointer Dereference, Integer Underflow. 2.

B&R Industrial Automation Automation Studio 4 (CISA) 1. EXECUTIVE SUMMARY CVSS v3 8.3 ATTENTION: Exploitable remotely Vendor: B&R Industrial Automation Equipment: Automation Studio 4 Vulnerability: Unrestricted Upload of File with Dangerous Type 2.

Emerson Proficy Machine Edition (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.3 ATTENTION: Exploitable remotely/Low attack complexity Vendor: Emerson Equipment: Proficy Machine Edition Vulnerabilities: Missing Support for Integrity Check, Improper Access Control, Unrestricted Upload of File with Dangerous Type, Improper Verification of Cryptographic Signature, Insufficient Verification of Data Authenticity, Path Traversal: ‘\..\filename’ 2.

Sequi PortBloque S (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.9 ATTENTION: Exploitable remotely/low attack complexity Vendor: Sequi Equipment: Sequi PortBloque S Vulnerabilities: Improper Authentication, Improper Authorization 2.

Siemens Industrial Products with OPC UA (CISA) 1. EXECUTIVE SUMMARY CVSS v3 6.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SIMATIC NET PC, SITOP Manager, TeleControl Server Basic Vulnerability: Null Pointer Dereference 2. RISK EVALUATION Successful exploitation of this vulnerability could crash the device by sending uncertain status code in a response message.

ARC Informatique PcVue (CISA) 1. EXECUTIVE SUMMARY CVSS v3 5.5 ATTENTION: Low attack complexity Vendor: ARC Informatique Equipment: PcVue Vulnerability: Cleartext Storage of Sensitive Information 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to access the OAuth web service database.

Delta Industrial Automation DIALink (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Delta Electronics Equipment: Delta Industrial Automation DIALink Vulnerability: Use of Hard-coded Cryptographic Key 2. RISK EVALUATION Successful exploitation of this vulnerability could result in the exposure of sensitive data.

mySCADA myPRO (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.9 ATTENTION: Exploitable remotely/low attack complexity Vendor: mySCADA Technologies Equipment: mySCADA myPRO Vulnerability: Command Injection 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to run commands directly in the operating system.

Measuresoft ScadaPro Server (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Measuresoft Equipment: ScadaPro Server Vulnerability: Out-of-bounds Write 2. RISK EVALUATION Successful exploitation of this vulnerability may allow arbitrary code execution.

Measuresoft ScadaPro Server and Client (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Measuresoft Equipment: ScadaPro Server and Client Vulnerabilities: Untrusted Pointer Dereference, Stack-based Buffer Overflow, Use After Free, Link Following. 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow arbitrary code execution, privilege escalation, or a denial-of-service condition.

Hitachi Energy RTU500 (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: RTU500 Series Vulnerability: Stack-based Buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to send a specially crafted Modbus TCP packet in a high rate, causing a stack overflow, which could result in a reboot of the product.

Illumina Local Run Manager (CISA) 1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Illumina Equipment: Local Run Manager (LRM) Vulnerabilities: Path Traversal, Unrestricted Upload of File with Dangerous Type, Improper Access Control, Cleartext Transmission of Sensitive Information 2.

FATEK Automation FvDesigner (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: FATEK Automation Equipment: FvDesigner Vulnerability: Out-of-bounds Write 2. RISK EVALUATION Successful exploitation of this vulnerability may allow remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of the FvDesigner software tool are affected:

Hitachi Energy FACTS Control Platform (FCP) Product (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: FACTS Control Platform (FCP) Product Vulnerability: Inconsistent Interpretation of HTTP Requests, Use After Free, Classic Buffer Overflow, Integer Underflow, Improper Certificate Validation, Observable Discrepancy. 2.

Hitachi Energy Gateway Station (GWS) Product (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: Gateway Station (GWS) Product Vulnerability: Inconsistent Interpretation of HTTP Requests, Use After Free, Classic Buffer Overflow, Integer Underflow, Improper Certificate Validation, Observable Discrepancy 2.

Hitachi Energy MSM Product (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: MSM Product Vulnerability: Reliance on Uncontrolled Component 2. RISK EVALUATION Successful exploitation of this vulnerability could disrupt the functionality of the MSM web interface, steal sensitive user credentials, or cause a denial-of-service condition.

Hitachi Energy RTU500 series (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: RTU500 series Vulnerability: Improper Input Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could cause an internal buffer overflow, which can reboot the product.

Fuji Electric D300win (CISA) 1. EXECUTIVE SUMMARY CVSS v3 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Fuji Electric Equipment: D300win Vulnerabilities: Out-of-bounds Read, Write-what-where Condition 2. RISK EVALUATION Successful exploitation of these vulnerabilities could result in loss of sensitive data and manipulation of information.

Honeywell ControlEdge (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Honeywell Equipment: ControlEdge Vulnerability: Missing Authentication for Critical Function CISA is aware of a public report known as “OT:ICEFALL” that details vulnerabilities found in multiple operational technology (OT) vendors.

Honeywell Experion LX (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Honeywell Equipment: Experion LX Vulnerability: Missing Authentication for Critical Function CISA is aware of a public report known as “OT:ICEFALL” that details vulnerabilities found in multiple operational technology (OT) vendors.

Honeywell Trend Controls Inter-Controller Protocol (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.1 ATTENTION: Low attack complexity Vendor: Honeywell Equipment: Trend Controls IQ Series that utilize Inter-Controller (IC) protocol Vulnerability: Cleartext Transmission of Sensitive Information CISA is aware of a public report, known as “OT:ICEFALL” that details vulnerabilities found in multiple operational technology (OT) vendors.

Omron CX-Programmer (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7,8 ATTENTION: Low attack complexity Vendor: Omron Equipment: CX-Programmer Vulnerability: Use After Free 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Omron product, part of a software automation suite, is affected:

PTC Kepware KEPServerEX (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: PTC Equipment: Kepware KEPServerEX Vulnerabilities: Heap-based Buffer Overflow, Stack-based Buffer Overflow 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to crash the device or remotely execute arbitrary code.

Sensormatic Electronics iSTAR (CISA) 1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Sensormatic Electronics, a subsidiary of Johnson Controls Inc. Equipment: iSTAR Ultra Vulnerability: Command Injection 2. RISK EVALUATION An unauthenticated user could use a malicious request to run arbitrary commands as root user.

Business and Market Trends

Pipeline Operators Are Headed in the Right Direction, With or Without TSA's Updated Security Directives (Dark Reading) A worsening threat landscape, increased digitization, and the long-term positive effects of modern security strategies are pushing critical infrastructure operators to do better.

Pittsburgh cybersecurity firm GrayMatter merges with Michigan-based automation company HTSE (Pittsburgh Inno) GrayMatter, one of Pittsburgh's largest cybersecurity firms, announced it entered into a strategic merger with Portage, Michigan-based HTSE Inc., a process automation and machine control provider that's worked on over 1,000 of such projects for food, beverage, pharmaceutical, chemical and manufacturing companies around the world.

Technologies, Techniques, and Standards

The importance of critical infrastructure protection in the energy sector (Power Engineering) The U.S. electric grid provides electricity to millions of homes and businesses via a complex and vulnerable network of power plants, transmission lines and distribution centers. It is essential to daily life and commerce in America. One of the greatest cybersecurity threats to the electric grid involves ICS or “industrial control systems.” ICS manage electrical processes and physical functions like opening and closing circuit breakers.

Products, Services, and Solutions

OPSWAT Presents New Malware Analysis Capabilities for Operational Technology (OT) at Black Hat USA 2022 (GlobeNewswire News Room) Product enhancements to offer full IT and OT threat intelligence services for OPSWAT customers...

Illumio and Armis Announce Joint Solution to Protect IT and OT Networks from Breaches (StreetInsider.com) New Partnership Provides Visibility and Zero Trust Segmentation to Reduce Risk and Build Cyber Resilience Across IT, IoT, and OT Environments

Policy, Legislation, and Regulation

NSTAC Urges CISA Action to Boost Security of Feds’ OT Systems (MeriTalk) The National Security Telecommunications Advisory Committee (NSTAC) voted on August 23 to approve a report recommending that the Cybersecurity and Infrastructure Security Agency (CISA) issue an order requiring all Federal civilian agencies to catalog all of their operational technology (OT) devices and systems as one of many steps to improve OT cybersecurity in government and the private sector.

CISA Director Speaks at Chemical Security Summit (C-SPAN.org) Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly noted Russia's continued invasion of Ukraine and Ukrainian Independence Day saying the agency is concerned and monitoring potential threats from Russia, state sponsored organizations and other criminal groups. Director Easterly spoke about cybersecurity and critical infrastructure threats at the agency's summit, which focused on protecting facilities housing potentially dangerous chemicals if in the wrong hands. Ms. Easterly along with CISA's Chemical Security Associate Director, Kelly Murray, also emphasized the importance and a need for a more lengthy congressional reauthorization of the Chemical Facility Anti-Terrorism Standards (CFATS) program.

DOE Announces $45 Million for Next-Generation Cyber Tools to Protect the Power Grid (Energy.gov) Funding Will Support Projects that Will Help Make American Energy Systems Secure, Resilient, and Reliable

DOE invests $45 million in cyber technology that protects power sector (The Hill) The Department of Energy announced on Wednesday that it is investing $45 million in cyber technology that will protect the power grid sector from cyberattacks. The investment will fund up…