Security researchers have identified a software vulnerability affecting industrial control systems (ICS) from more than 200 vendors. The software, CoDeSys, has a design flaw that could allow attackers to execute sensitive commands on certain devices without authentication, according to security consultancy Digital Bond.
CoDeSys is a ladder logic system used on programmable logic controllers (PLCs), which are used to control and automate processes in industrial and key infrastructure facilities such as power plants, water and wastewater facilities, oil and natural gas refineries and manufacturing plants. A report on ICS security from the U.S. National Institute of Standards and Technology (NIST) noted that “these control systems are vital to the operation of the U.S. critical infrastructures.”
The flaw identified by Digital Bond arises from the fact that CoDeSys usually runs automatically with a high level of privilege. It offers a TCP (Transmission Control Protocol) listener service that allows access to a command-line interface and file transfer functionality without authentication. A savvy user could therefore execute commands to shut down PLC functions, browse or modify files and directories, change online access permissions or transfer malicious files to a PLC.
“This attack can be used not only to control the PLC but also to turn the PLC into an ‘agent’ to attack other devices in the network,” Ruben Santamarta, a security researcher from security firm IOActive, told TechWorld.
According to Digital Bond, 261 vendors employ CoDeSys in their ICS hardware. While CoDeSys manufacturer 3S-Smart noted that the vulnerability should only be exploitable by someone with network access to a PLC runtime, security researchers have noted that some PLC networks are exposed to the internet, TechWorld reported. As a result, large swaths of infrastructure could be affected by the vulnerability, posing a potential cybersecurity threat. NIST notes that threats to control systems can originate from a wide range of sources including hostile governments and malicious intruders.
While this type of embedded software problem presents a troubling threat and could involve potentially daunting costs to remedy across such a wide range of vendors, Digital Bond’s Dale Peterson observed one success story that offers a sense of how such problems might be avoided. At least one vendor’s use of a security development lifecycle (SDL) caught the software security flaw, enabling the company to modify its product with an outer layer of authentication as a precaution.
Security news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.