Security researchers have discovered numerous vulnerabilities in Honeywell devices used in critical industries that could, if exploited, allow hackers to cause physical disruption and potentially impact the safety of human lives.
Researchers at Armis, a cybersecurity company specializing in asset security, uncovered nine vulnerabilities in Honeywell’s Experion distributed control system (DCS) products. These are digital automated industrial control systems that are used to control large industrial processes across critical industries — like energy and pharmaceutical — where high availability and continuous operations are critical.
The vulnerabilities, seven of which have been given a critical-severity rating, could allow for an attacker to remotely run unauthorized code on both the Honeywell server and controllers, according to Armis. An attacker would need network access to exploit the flaws, which can be gained by compromising a device within a network, from a laptop to a vending machine. However, the bugs allow for unauthenticated access, which means an attacker wouldn’t need to log into the controller in order to exploit it.
While there has been no evidence of active exploitation, Armis tells TechCrunch that hackers could use these flaws to take over the devices and to alter the operation of the DCS controller.
“Worst-case scenarios you can think of from a business perspective are complete outages and a lack of availability. But there’s worse scenarios than that, including safety issues that can impact human lives,” Curtis Simpson, CISO at Armis, told TechCrunch.
Simpson said that the nature of the bugs mean that an attacker can hide these changes from the engineering workstation that manages the DCS controller. “Imagine you have an operator with all the displays controlling the information from the plant, in this environment, everything is fine,” he added. “When it comes to down below in the plant, everything is essentially on fire.”
This is particularly problematic for the oil and gas mining industry, Armis says, where Honeywell DCS systems operate. Honeywell customers include energy giant Shell, U.S. government agencies such as the Department of Defense and NASA, and research-based biopharmaceutical company AstraZeneca, according to Honeywell’s website.
“If you’re able to disrupt critical infrastructure, you’re able to disrupt a country’s ability to operate in many different ways,” Simpson said. “Recovering from this would also be a nightmare. If you look at the pervasiveness of this type of attack, coupled with the lack of cyber awareness about this ecosystem, it could cost organizations millions of dollars per hour to rebuild.”
Armis tells TechCrunch that it alerted Honeywell to the vulnerabilities, which affect a number of its DCS platforms, including the Honeywell Experion Process Knowledge System, LX and PlantCruise platforms, and the C300 DCS Controller, in May. Honeywell made patches available the following month and is urging all affected organizations to promptly apply them.
When reached for comment, Honeywell spokesperson Caitlin E. Leopold said: “We have been working with ARMIS on this issue as part of a responsible disclosure process. We have released patches to resolve the vulnerability and notified impacted customers. There are no known exploits of this vulnerability at this time. Experion C300 owners should continue to isolate and monitor their process control network and apply available patches as soon as possible.”