[German]Critical vulnerabilities have been discovered in the Honeywell Experion PKS controllers C200, C200E, C300 and in the and ACE controllers. ICS-CERT and CISA have issued a warning about this – and the manufacturer Honeywell has issued security advice on what administrators of the controllers concerned should do to protect themselves.
Advertising
Honeywell Experion PKS is a process control system used in industrial plants. And the ACE Units C200, C200E and C300 are controllers that are also used in industrial applications. There are critical vulnerabilities in these components that CISA and ICS-CERT warn about, respectively. I became aware of the issue via the following tweet.
The CISA document is quite concise and indicates that all versions of Honeywell Experion Process Knowledge System C200, C200E, C300 and ACE controllers have multiple vulnerabilities. The vulnerabilities allow a remote attacker to take control of an affected system. Exploitation in the wild has not been observed to date.
ICS-Advisory CSA-21-278-04 contains more information about this. Vulnerabilities exist in the Experion Process Knowledge System (PKS) C200, C200E, C300 and all ACE controllers that allow unrestricted upload of dangerous type files, relative path traversal, or improper neutralization of specific elements in downstream components.
Honeywell recommends users follow all guidance in the Experion Network and Security Planning Guide to prevent attacks by malicious actors. In addition, Honeywell has published support document SN2021-02-22-01. CISA recommends the following measures to secure the systems:
Advertising
- Minimize network exposure of all control system devices and/or systems and ensure they are not accessible via the Internet.
- Place control system networks and remote devices behind firewalls and isolate them from the corporate network.
- If remote access is required, use secure methods such as virtual private networks (VPNs), although VPNs can have security vulnerabilities and should be updated to the latest available version. In addition, a VPN is only as secure as the devices connected to it.
CISA also reminds organizations to conduct proper impact analysis and risk assessment before deploying defenses.
Advertising