September 2024 Patch Tuesday brought security advisories from several ICS vendors, including Siemens, Schneider Electric and ABB, as well as the US cybersecurity agency CISA.
Siemens published 17 new advisories. The most serious of the vulnerabilities based on its CVSS score — Siemens now includes CVSS 4.0 scores in some advisories — is a critical authentication bypass issue in the Industrial Edge Management product. The flaw could allow an unauthenticated, remote attacker to impersonate other devices onboarded to the system.
The list of critical vulnerabilities also includes unauthenticated remote code execution flaws in Simatic products, and a code injection vulnerability in Scalance W products.
Other potentially serious flaws — with severity ratings of ‘critical’ or ‘high’ — include DoS bugs in Automation License Manager and Sicam products, a privilege escalation issue in Sinumerik products, a remote code execution issue in Sinema Remote Connect Client, and a potential arbitrary code execution or crash issue in Tecnomatix Plant Simulation.
High-severity DoS bugs have been found in various Simatic products. Medium-severity issues have been addressed in Sinumerik, Sinema, and Mendix products.
Siemens has yet to release patches for some of these vulnerabilities, but mitigations and workarounds are available.
Schneider Electric has released two new advisories for two new vulnerabilities. One of them is a high-severity privilege escalation in Vijeo Designer. The second flaw is a medium-severity XSS bug that can be exploited by an authenticated attacker.
ABB has published one advisory to inform customers about two medium-severity DoS issues in Relion protection relays.
CISA has released four ICS advisories. One of them covers three critical and high-severity vulnerabilities in Viessmann Climate Solutions SE. The flaws are related to hardcoded credentials, forced browsing, and command injection, and PoC code is publicly available.
The remaining three advisories cover a high-severity file upload vulnerability in SpiderControl SCADA Web Server, a high-severity DoS bug in Rockwell Automation SequenceManager, and a medium-severity information exposure issue in BPL Medical Technologies Android applications.
ICS Patch Tuesday September 2024: Advisories Published by ABB, Siemens, Schneider, CISA
For September 2024, two dozen ICS Patch Tuesday advisories were published by Siemens, Schneider Electric, CISA and ABB.
Russian Sandworm Hackers Target Ukraine’s Power Grid in Coordinated Cyber-Physical Attack
Russia’s Sandworm hackers disrupted power in Ukraine using a novel attack against operational technology (OT) coordinated with missile strikes.
Rockwell Automation to Acquire ICS/OT Security Firm Verve Industrial
Industrial giant Rockwell Automation announced on Monday that it has signed a definitive agreement to acquire Verve Industrial Protection, a cybersecurity company specializing in industrial control systems (ICS) and operational technology (OT). Verve’s managed OT/ICS security platform provides asset inventory, vulnerability management, patch management, configuration management, SIEM, incident response, and backup and restore capabilities. In addition, the company provides network segmentation, vulnerability assessment, system hardening, automation engineering, and consulting services. The deal enables Rockwell Automation to expand and strengthen its offering. Financial details have
Radiflow, Cyolo Team Up to Secure OT Networks Against Unauthorized Devices
Radiflow and Cyolo partnership will allow organizations implement a seamless, single sign-on experience for remote and third-party vendors, while significantly enhancing network security.
CISA Announces Free Vulnerability Scanning for Water Utilities
CISA announced a new vulnerability scanning service designed to help water utilities identify and address security holes that could expose their systems to remote attacks.
Yokogawa to Sell Unidirectional Gateways from Waterfall Security Solutions Under New Partnership
Yokogawa will offer Unidirectional Gateway cybersecurity products from Waterfall Security Solutions under a new collaboration
Schneider Electric Teams With BitSight on OT Risk Detection
Schneider Electric partnered with BitSight to develop a OT risk identification and threat intelligence capability
All ICS Vendors Impacted by OT:Icefall Vulnerabilities Have Released Advisories
All ICS vendors impacted by the recently-disclosed OT:Icefall vulnerabilities have released advisories to inform customers about the impact of the flaws and to provide mitigations.
2023 Full Day ICS Cybersecurity Training Courses
Conference attendees can register for optional full-day ICS cybersecurity training sessions that take place on Monday, October 24th, 2022.
Industrial Control Systems Cybersecurity Training Act Passed by House of Representatives
Industrial Control Systems Cybersecurity Training Act.