Security researchers have discovered numerous vulnerabilities in Honeywell devices used in critical industries that could, if exploited, allow hackers to cause physical harm and potentially affect the safety of human life.
Researchers at Armis, a cybersecurity company specializing in asset security, discovered nine vulnerabilities in Honeywell’s Experion distributed control system (DCS) product. It is a digital automated industrial control system used to control large industrial processes across critical industries — such as energy and pharmaceuticals — where high availability and continuous operation are critical.
The vulnerabilities, seven of which have been rated critical-severity, could allow an attacker to remotely execute unauthorized code on Honeywell servers and controllers, according to Armis. An attacker would need network access to exploit the flaw, which could be obtained by compromising any device on the network, from laptops to vending machines. However, the bug allows unauthenticated access, meaning an attacker doesn’t need to be logged into a controller to exploit it.
While there’s no evidence of an active exploit yet, Armis told Zero2Billions that hackers could use this vulnerability to take control of devices and change the operation of the DCS controller.
“The worse case scenario you can think of from a business perspective is a total outage and lack of availability. But there are worse scenarios than that, including security issues that could affect human life,” Curtis Simpson, CISO at Armis, told Zero2Billions.
Simpson said that the nature of the bug meant an attacker could hide these changes from the engineering workstation that manages the DCS controller. “Imagine you have an operator with all the displays that controls the information from the factory, in this environment, everything is fine,” he added. “When it got under the factory, everything was basically on fire.”
This is especially problematic for the oil and gas mining industry, said Armis, where Honeywell’s DCS systems operate. Honeywell’s customers include energy giant Shell, US government agencies including the Department of Defense and NASA, and research-based biopharmaceutical company AstraZeneca, according to Honeywell’s website.
“If you can disrupt critical infrastructure, you can disrupt a country’s ability to operate in a number of ways,” Simpson said. “Recovering from this would also be a nightmare. If you look at the breadth of these types of attacks, coupled with the lack of cyber awareness about this ecosystem, organizations can cost millions of dollars an hour to rebuild.”
Armis notified Zero2Billions that it alerted Honeywell to the vulnerability, which affects a number of its DCS platforms, including Honeywell’s Experion Process Knowledge System, the LX and PlantCruise platforms, and the DCS C300 Controller, in May. Honeywell made the patch available the following month and urged all affected organizations to apply it immediately.
Asked to comment, Honeywell spokeswoman Caitlin E. Leopold said: “We have worked closely with ARMIS on this matter as part of our responsible disclosure process. We have released a patch to address the vulnerability and notified affected customers. There are no known exploits of this vulnerability at this time. Experion C300 owners should continue to isolate and monitor their process control network and apply available patches as soon as possible.”