Researchers have found 6 critical vulnerabilities in a third-party provider to leading industrial control systems (ICS) providers including Rockwell Automation and Siemens.
According to the report, the flaws exist in CodeMeter, owned by Wibu-Systems, a software management component utilized by the likes of Rockwell and Siemens. Unauthenticated attackers can exploit the vulnerabilities and launch attacks, including ransomware, that could shut down critical systems.
The researchers have warned that “CodeMeter is a widely deployed third-party tool that is integrated into numerous products.”
These newly discovered vulnerabilities are a byproduct of several factors, including the accelerated merging of IT and operational technology (OT) in industrial control systems. As we have written previously, “the merging of operational technology (OT) and information technology (IT) in recent years has led to a decrease in the number of air gaps—the thing that used to make critical infrastructure like utilities less vulnerable to cyber attacks. With the rise of IoT, industrial control systems have become more connected and thus more vulnerable to attack.”
From the work of experts like Dragos, we already see an uptick in ransomware attacks on critical infrastructure seeking to exploit the vulnerabilities borne out of this trend.
As we wrote in an Alert on GE recently, the poor management of these risks, from the third party vendors to the first tier service providers (like Siemens, GE), pose a systemic risk to the public and shareholders alike. And in the case of any company that uses Wibu-Systems and CodeMeter, they are only as secure as their weakest link.