June 2021

n NEWS June 2021 www.drivesncontrols.com 10 RUSSIANCYBER-SECURITY experts have discovered ten vulnerabilities – some of them rated as critical – in the Codesys 2 industrial control software used as the basis for the firmware in controllers from 15 manufacturers, including Beckhoff, Kontron, Festo and Mitsubishi. German-based Codesys has released a software update to fix the vulnerabilities and has issued advisory notices for the three software components affected. The vulnerabilities were identified by the cyber-security specialist, Positive Technologies. It found them first in a Wago 750-8207 PLC. The researchers informed Wago, which passed the information on Codesys. Some of these vulnerabilities were rated as 10 out of 10 – or “extremely dangerous”, according to Positive Technologies’ head of ICS security, Vladimir Nazarov. “Their exploitation can lead to remote command execution on PLC, which may disrupt technological processes and cause industrial accidents and economic losses.” To exploit the vulnerabilities, an attacker would not need a user name or password; having network access to the controller would be enough. The potentially most dangerous problems were found in the Codesys V2.3 Web server component, which is used for HMI displays in Web browsers. Multiple vulnerabilities discovered in this component have received a CVSS (Common Vulnerability Scoring System) score of 10 – the highest possible. Other vulnerabilities, rated at 8.8, were found in the Codesys Control V2 communication runtime system, which allows embedded PC systems to be used as programmable controllers. A final vulnerability, with a rating of 5.3, was discovered in Codesys’ Control V2 Linux SysFile library. Attackers could use it, for example, delete files and disrupt processes. To eliminate the vulnerabilities, users are advised to follow the recommendations in the Codesys advisories. If they cannot install an update, they should look for signs of penetration using security-monitoring tools. In its three advisory notices, Codesys says it is not aware of any public exploits targeting the vulnerabilities. www.ptsecurity.com/ww-en www.codesys.com/security/security-reports NEWS BRIEFS p The testing and certification organisation TÜV SÜD has launched a UKCA audit service that will help machinery users to verify that their equipment complies with newUK regulations. The service is a pre-delivery inspection that complements factory acceptance tests (FATs). It will allow purchasers to determine if equipment is built and operating in accordance with UKCA requirements before making a final payment. Any non-compliance issues at this stage are still the responsibility of the manufacturer. UKCAmarking is now required for newmachinery placed on the market for the first time in Great Britain, but CE marking will continue to be accepted in Northern Ireland. Machinery manufacturers have eight months’grace for the acceptance of CE marking until 1 January 2022. www.tuvsud.com/uk p Realtime Robotics , a US company specialising in autonomous motion planning for industrial robots, has completed a Series A round of funding worth $31.4m, with investors including Omron Ventures , Toyota AI Ventures and the Hahn Group . Its real-time collision-free motion planning technology allows single or multiple robots, or autonomous vehicles, to operate autonomously at full speed in unstructured and uncaged environments. https://rtr.ai p The global market for industrial gearboxes was worth $38.4bn in 2020 and will reach $49.2bn by 2026 – a CAGR of 4.2% over the period – according to a new report from Global Industry Analysts (GIA). Helical boxes will account for $18.8bn of the 2026 total. Planetary boxes represent almost 30% of the market. www.strategyr.com p Zebra Technologies , which offers performance-enhancing technologies and services, has acquired the Polish machine vision (MV) specialist Adaptive Vision , and has entered the MV and FIS (fixed industrial scanning) markets with a portfolio offering track-and-trace and quality inspection capabilities. Zebra’s MV cameras and scanners use its Aurora software platform to accelerate their deployment. Adaptive specialises in graphical MV software, with tools and algorithms that simplify MV applications. www.zebra.com p A Californian company, Symbio Robotics has raised $30m to help it modernise industrial manufacturing by using AI to make industrial robots faster, more capable and more flexible. Its SymbioDCS robotics middleware is said to simplify the programming of robots and make them more intelligent. It allows programmers to use real-time sensor information and feedback from existing sensors in combination with advanced control software. https://symb.io Ten vulnerabilities discovered in Codesys control software CYBER-RESEARCHERS have found a vulnerability in Siemens’ Simatic S7-1200 and S7-1500 PLCs that could give attackers read and write access anywhere on the PLC, allowing them to execute malicious code remotely. The researchers at Claroty describe such code execution as the “holy grail” for cyber-attackers, allowing them to hide code inside a PLC undetected by the operating system, or any diagnostic software. To eliminate the vulnerability, Siemens has updated the firmware for both PLCs, and has issued an advisory notice. Claroty is not aware of any exploitation of the weakness. According to the firm, achieving native code execution on an industrial control system is an aim few attackers have achieved. These systems have numerous in- memory protections that any attacker would have to overcome not only to run code, but also to remain undetected. Previously, they would have needed physical access and connections to the PLC, or techniques that target engineering workstations and other links to the PLC to achieve this level of code execution. The new vulnerability bypasses the sandbox where native code would normally run in the PLC in protected areas of memory.. https://claroty.com/ https://certportal.siemens.com/ productcert/pdf/ssa-434534.pdf Siemens PLC vulnerability is cyber-attackers’ ‘holy grail’ The Russian cyber-experts first discovered the Codesys vulnerabilities in Wago’s 750-8207 PLC