Honeywell devices used in critical industries have numerous vulnerabilities that could allow hackers to cause physical disruption and possibly endanger lives.
Armis, an asset security cybersecurity company, found nine vulnerabilities in Honeywell’s Experion distributed control system (DCS) products. These digital automated industrial control systems control large industrial processes in critical industries like energy and pharmaceuticals that require high availability and continuous operations.
Armis says seven critical vulnerabilities could allow an attacker to remotely run code on the Honeywell server and controllers. A laptop or vending machine can be compromised to gain network access and exploit the flaws. The bugs allow attackers to exploit the controller without logging in.
Armis tells TechCrunch that hackers could use these flaws to take over devices and change DCS controller operation.
Complete outages and unavailability are the worst business scenarios. “But there are worse scenarios, including safety issues that can impact human lives,” Armis CISO Curtis Simpson told TechCrunch.
Simpson said the bugs allow an attacker to hide these changes from the engineering workstation that manages the DCS controller. “Imagine an operator with all the displays controlling the plant information, in this environment, everything is fine,” he said. “The plant is on fire below.”
Armis says Honeywell DCS systems in oil and gas mining are especially problematic. Honeywell’s website lists Shell, NASA, and AstraZeneca as customers.
“If you can disrupt critical infrastructure, you can disrupt a country’s ability to operate in many ways,” Simpson said. “Recovering would also be a nightmare. The pervasiveness of this attack and the lack of cyber awareness about this ecosystem could cost organizations millions of dollars per hour to rebuild.
In May, Armis informed Honeywell of the vulnerabilities, which affect the Honeywell Experion Process Knowledge System, LX and PlantCruise platforms, and the C300 DCS Controller, according to TechCrunch. Honeywell released patches the following month and advised affected organizations to apply them immediately.
Honeywell spokesperson Caitlin E. Leopold said, “We have been working with ARMIS on this issue as part of a responsible disclosure process. We patched and notified customers. This vulnerability is currently unexploited. Experion C300 owners should continue to isolate and monitor their process control network and apply available patches as soon as possible.”