Drives & Controls Magazine September 2023

NEWS n 5 Microsoft finds Codesys flaws that could affect thousands of PLCs CYBERSECURITY RESEARCHERS AT Microsoft has discovered several “high severity” vulnerabilities in the software development kit (SDK) for the Codesys control platform which is used in around 1,000 automation devices, including PLCs from more than 500 manufacturers. Microsoft warns that exploitation of these vulnerabilities – which affect all versions of Codesys V3 before version – could put operational technology (OT) infrastructure at risk of denial-of-service (DoS) and remote code execution (RCE) attacks. A DoS attack against a device using a vulnerable version of Codesys could allow the attackers to shut down plants, while remote code execution could create a backdoor allowing attackers to tamper with operations, causing PLCs to run in unusual ways, or to steal critical information. Microsoft’s researchers reported their discovery of 15 vulnerabilities to the Germanbased Codesys organisation in September 2022 and worked closely with Codesys to help develop patches that Codesys released earlier this year. In a blog on its discovery, Microsoft “strongly” urges Codesys users to apply these updates as soon as possible. It points out, however, that to exploit the vulnerabilities would require user authentication, as well as a deep knowledge of the Codesys V3 protocol and the structure of the services that the protocol uses. Codesys is a vendor- and platform-independent development environment that helps automation device manufacturers to implement the IEC 61131-3 programming standard. It can be used to create both hardware- and softwarebased controllers. For their research, the Microsoft analysts examined the structure and security of the Codesys protocol, focusing in particular on Schneider Electric’s Modicon TM251 and Wago’s PFC200 PLCs – both of which are Codesys-based. Other automation suppliers that use Codesys include ABB, Advantech, Bosch Rexroth, Delta Electronics, Eaton, Festo, Hitachi, ifm, Inovance, KEB, Lenze, NUM, Opto 22, Parker Hannifin, WEG and Weidmuller. There are reckoned to be more than 200,000 Codesys end-users worldwide, with several million Codesys devices in service. September 2023 THE NUMBER OF “advisories” about cyber-security vulnerabilities in ICSs (industrial control systems) dropped by 9.8% in the first half of 2023 compared to 2022, but more than a third (34%) of the new vulnerabilities do not have any patch or remediation available, compared to just 13% in the first half of 2022. The figures come from a new report produced by the US industrial asset and network monitoring company, SynSaber, in collaboration with the ICS Advisory Project – an open-source project that provides data from the US Department of Homeland Security’s CISA (Cybersecurity & Infrastructure Security Agency) ICS Advisories visualised a dashboards for use by the OT/ICS community. The report analyses the Common Vulnerabilities and Exposures (CVEs) reported via CISA ICS Advisories in the first half of 2023, provides insight and identifies trends in the sector, while comparing the first half of 2023 to previous years. CISA reported a total of 670 CVEs in the first half of this year compared to 681 in 2022. Of these, 88 were rated as being of “critical” severity, 349 as “high”, 215 as “medium”, and 18 as “low”. Manufacturing and energy were the two critical infrastructure sectors most likely to be impacted by the CVEs reported during the first half of 2023, accounting for 37.3% and 24.3% of the CISA advisories, respectively. Siemens products received the largest number of CISA advisories (41) of any ICS manufacturer during the first half of 2023. “The number of CVEs reported is likely to continue increasing over time or at least remain steady,” predicts SynSaber’s co-founder and CEO, Jori VanAntwerp. “It is our hope that this research helps asset owners prioritise when and how to mitigate vulnerabilities.” ICS cyber-threat numbers fall, but a third are unpatched As part of its research into Codesys vulnerabilities, Microsoft examined PLCs from Wago (left) and Schneider Electric The total number of advisories issued by CISA for ICS vendors, and their severity. The graph comes from a “dashboard” produced by the ICS Advisory Project