September 2020

n NEWS 10 September 2020 www.drivesncontrols.com THE CYBERSECURITY research firm Trend Micro has issued a pair of reports highlighting potential dangers to industrial automation systems posed by vulnerabilities in protocol gateways and programming languages. It says that these flaws could expose automation system to critical attacks that could enable attackers to hijack automation systems and industrial robots, to disrupt production, or steal intellectual property. n The first report, Lost in Translation: When Industrial Protocol Translation Goes Wrong , reveals a new class of security vulnerabilities in protocol gateways/converters that could expose Industry 4.0 environments to critical attacks. The Trend researchers analysed five popular Modbus translation gateways and found various vulnerabilities and weaknesses that could allow unauthorised access, databases to be decrypted, and stealth commands to sabotage operations. n The second report, Rogue Automation: Vulnerable and Malicious Code in Industrial Programming , highlights design flaws in eight popular industrial programming languages that could allow attackers to hijack industrial robots and automated machines to disrupt production or steal intellectual property. It warns that the industrial automation world may be unprepared to detect and prevent the exploitation of these issues, adding that it is “imperative” that the industry starts to embrace network-security and secure- coding practices. The report includes guidelines for ensuring secure coding to decrease potential disruption to OT (operational technology) environments. The report on protocol converters warns that hackers could exploit the weaknesses in these devices to view and steal production configurations and sabotage key industrial processes by manipulating process controls, camouflaging malicious commands with legitimate packets, and denying control access. “Protocol gateways rarely get individual attention, but their importance to Industry 4.0 environments is significant and can be singled out by attackers as a critical weak link in the chain,” cautions Bill Malik, Trend Micro’s vice-president of infrastructure strategy. The second report – the result of a study conducted jointly by Trend and the Politecnico di Milano in Italy – shows how design flaws in legacy programming languages can lead to vulnerabilities in automation programs. “Once OT systems are network-connected, applying patches and updates is nearly impossible, which makes secure development up-front absolutely critical,” Malik suggests. “Today, the software backbone of industrial automation depends on legacy technologies that too often contain latent vulnerabilities.” Legacy proprietary programming languages were not designed with attackers in mind. Developed decades ago, they are now essential to critical automation tasks, but cannot be fixed easily. The researchers demonstrated how a new kind of self- propagating malware could be created using one of the legacy programming languages. Trend has worked with the Robotic Operating System Industrial Consortium to establish recommendations to reduce the exploitability of the identified issues. Trend Micro and Politecnico di Milano have also developed a patent-pending tool to detect vulnerable or malicious code in task programs, thus preventing damage at runtime. The researchers found 40 instances of vulnerable open source code in the eight programming platforms. As a result, one vendor has removed a vulnerable automation program from its application store, and two more have acknowledged the potential problems. Details of the vulnerabilities have also been shared by the US industrial cyber-security organisation ICS- Cert in an alert to its community. In addition to the freely downloadable reports on gateways ( https://drivesncontrols.news/tfcea ) and programming languages ( https://drivesncontrols.news/5uunr ), Trend Micro has also produced Web pages on the gateways ( https://drivesncontrols.news/4xq6s ) and languages ( https://drivesncontrols.news/j42ya ) as well as a pair of one-page primers. www.trendmicro.com Cybersecurity researchers warn of new dangers to automation systems One ofTrend Micro's two reports focuses on vulnerabilities in industrial programming languages THE UK INDUSTRIAL SOFTWARE supplier Aveva is buying OSIsoft, the US-based real-time industrial data software and services developer, for $5bn. The two companies will combine their products, bringing together industrial software and data management to help customers accelerate their digital transformation. The merged business will have revenues of around £1.2bn. Scheider Electric, which took a majority stake in Aveva in 2017, is said to support the acquisition, and will provide $2.1bn of a proposed $3.5bn rights issue to finance the deal. Aveva says that OSIsoft’s data management software will complement its own end-to-end engineering, operations, and performance offerings. The two companies’ product suites are open and interoperable, with many customers already using both. Integrating OSIsoft’s PI System into Aveva’s software will create an integrated data foundation that can drive big data, cloud and AI systems. The combination will also enable Aveva to diversify the industries it serves, as well as expanding its footprint. The merged operation will be able to provide full-stack systems spanning edge, plant, and enterprise “Combining Aveva and OSIsoft is yet another significant milestone in our journey to achieving the ambitious growth goals that we have set,” says Aveva CEO, Craig Hayman. “This will not only help us serve existing customers better, but also open the floodgates to new opportunities which will accelerate the delivery of our digitisation vision. The deal is expected to close around the end of 2020. UK industrial software giant Aveva buys OSIsoft for $5bn