Critical Warnings for Industrial Control Systems: What Houston Manufacturers Need to Know

The Cybersecurity and Infrastructure Security Agency (CISA) recently released two important Industrial Control Systems (ICS) advisories affecting critical infrastructure sectors. These warnings highlight significant vulnerabilities in systems from Hitachi Energy and Rockwell Automation that could potentially impact operations across manufacturing, energy, and other critical sectors.

  Hitachi Energy MicroSCADA Pro/X SYS600: Multiple Critical Vulnerabilities

The Issue

CISA has identified multiple high-risk vulnerabilities in Hitachi Energy’s MicroSCADA Pro/X SYS600 products, which are widely used across industrial environments for monitoring and control operations. Successful exploitation of these vulnerabilities could allow attackers to “inject code towards persistent data, manipulate the file system, hijack a session, or engage in phishing attempts against users.”

Risk Level

The vulnerabilities have been assigned high severity ratings, with some having CVSS scores as high as 8.8, indicating critical security issues. Multiple versions of the MicroSCADA Pro/X SYS600 product line are affected, including:

• Versions 10.0 to 10.5 (CVE-2024-4872, CVE-2024-3980, CVE-2024-3982)
• Versions 10.2 to 10.5 (CVE-2024-7940)
• Version 10.5 (CVE-2024-7941)
• Version 9.4 FP1 (CVE-2024-3980)
• Version 9.4 FP2 HF1 to FP2 HF5 (CVE-2024-4872, CVE-2024-3980)

Exploitation Methods

These vulnerabilities can be exploited in various ways:

1. Code Injection (CVE-2024-4872): A vulnerability in query validation could allow an authenticated attacker to inject code towards persistent data.
2. File System Manipulation (CVE-2024-3980): The MicroSCADA Pro/X SYS600 product allows authenticated user input to control or influence paths or file names used in filesystem operations, potentially allowing attackers to access or modify system files or other critical application files.
3. Session Hijacking (CVE-2024-3982): An attacker with local access to a machine where MicroSCADA X SYS600 is installed could enable session logging and try to exploit a session hijacking of an already established session.

Remediation

Hitachi Energy has provided specific remediation steps:

1. For MicroSCADA X SYS600:
   • Update to Version 10.6 for comprehensive protection against all identified vulnerabilities (CVE-2024-4872, CVE-2024-3980, CVE-2024-3982, CVE-2024-7940, CVE-2024-7941)
2. For MicroSCADA Pro SYS600:
   • Apply Patch 9.4 FP2 HF6 for vulnerabilities CVE-2024-4872 and CVE-2024-3980 (Installation of previous FP2 hotfixes is required prior to installing HF6)
3. General Mitigation Measures:
   • Ensure that process control systems are physically protected from direct access by unauthorized personnel
   • Separate process control networks from the internet and other networks using firewall systems with minimal exposed ports
   • Avoid using process control systems for internet browsing, messaging, or emails
   • Carefully scan portable computers and removable storage media for viruses before use

  Rockwell Automation Lifecycle Services with Veeam Backup and Replication: RCE Vulnerability

The Issue

CISA has identified a serious vulnerability in Rockwell Automation’s Lifecycle Services that incorporate Veeam Backup and Replication. This vulnerability could allow attackers with administrative privileges to execute code on target systems.

Risk Level

The vulnerability has been assigned a CVSS v3.1 base score of 9.9 and a CVSS v4 score of 9.4, indicating an extremely high-risk security issue.

Affected products include:

• Industrial Data Center (IDC) with Veeam: Generations 1 – 5
• VersaVirtual Appliance (VVA) with Veeam: Series A – C

Exploitation Methods

The vulnerability exists in Veeam Backup & Replication, which is a comprehensive data protection and disaster recovery solution used by Rockwell Automation in their Lifecycle Services. Exploitation requires authentication to the domain but could result in arbitrary code execution, potentially compromising critical data such as backups and images.

The threat is particularly significant as CISA has confirmed that similar Veeam vulnerabilities “have already been exploited by ransomware groups like EstateRansomware, Akira, Cuba, and FIN7 for initial access, credential theft, and other malicious activities.”

Remediation

Rockwell Automation has provided the following remediation guidance:

1. For Users with Active Infrastructure Managed Service Contracts:
   • Rockwell Automation will contact impacted users directly to discuss actions needed for remediation efforts.
2. For Users Without Managed Services Contracts:
   • Refer to Veeam’s advisories and Support Content Notification on the Veeam support portal.
   • Apply appropriate updates provided by Veeam or other vendors which use this software immediately after appropriate testing.
3. General Security Recommendations:
   • Minimize network exposure for all control system devices and systems, ensuring they are not accessible from the Internet.
   • Locate control systems behind firewalls and isolate them from business networks.
   • Establish and maintain a documented vulnerability management process with regular reviews and updates.
   • Implement automated patch management for timely updates.

 How CinchOps Can Help Secure Your Business

In light of these critical CISA advisories, protecting your industrial control systems has never been more important. CinchOps offers comprehensive ICS security solutions that can help you:

1. Vulnerability Assessment: CinchOps can identify vulnerabilities in your ICS environment, including those highlighted by CISA, and prioritize them based on risk.
2. Patch Management: We provide streamlined patch deployment processes for critical systems, ensuring minimal operational disruption while maximizing security.
3. Network Segmentation: Our team can implement proper network segmentation to isolate critical control systems from business networks and the internet.
4. Continuous Monitoring: We offer 24/7 monitoring services to detect and respond to potential security incidents before they impact your operations.
5. Incident Response: Our experienced team provides rapid response capabilities to contain and remediate security incidents affecting industrial control systems.

Discover more about our enterprise-grade and business protecting cybersecurity services on our Cybersecurity page.

Don’t wait until a vulnerability is exploited. Contact CinchOps today to enhance your industrial cybersecurity posture and protect your critical infrastructure from emerging threats.

FREE CYBERSECURITY ASSESSMENT