Safeguarding Your ICS Against the Log4j Vulnerability

March 11, 2022
Although no information about industrial control systems being breached via Log4j has yet been made public, the threat exists.
Aw Title

Quick hits:

  • The log4j vulnerability is a cybersecurity loop-hole that exploits a small, nearly ubiquitous piece of software called log4j, which is used for recording the activities of various computer programs.
  • If a log4j attack were to occur on an ICS, malicious code could be executed, granting a threat actor the ability to take control of applications used to view and control physical processes.
  • ICS vendors and OEMs can assist end users in remediating the Log4j loophole by openly announcing which of their products are vulnerable and sharing information on how they can be patched.

Related to this episode:  

Listen to the story here:
Read the transcript below:

Hello and welcome to Take Five with Automation World. I’m David Miller, Senior Technical Writer for Automation World. Today, I’m going to be talking about the Log4j vulnerability, how it might affect industrial control systems, and how industrial operators can defend themselves from it.

Now, the first and most important question to answer is of course: What is the Log4j vulnerability? Well, viewers many have probably already heard of it, but if you haven’t that’s okay. Essentially, the Log4j vulnerability is a cybersecurity loophole that works by exploiting a very small and nearly ubiquitous piece of software called – obviously – Log4j, which is used in all kinds of computer programs to record or log events, errors, and routine system operations so that diagnostic messages and other types of things like that can be produced and sent onward to system administrators or others when certain events occur that, again, quite simply need to be logged.

The log4j vulnerability takes advantage of this common and necessary mechanism to allow a third-party serve to submit software code to log4j, which can trigger the performance malicious actions on a targeted system. So, we’re talking about things like stealing sensitive information, taking control of a system, or passing some kind of malicious code of that nature onto another system that is communicating with the affected system.

Currently, there’s been no publicized information about a log4j compromise occurring in connection with an industrial control system – rather the examples we’ve seen have been things like hackers trying to take control of computers to use them to mine cryptocurrency, or another much more high profile example was computers at the Belgium defense ministry which had information stolen from them. But industrial control systems do most certainly use Log4j, and therefore, they are vulnerable.

Moreover, you can imagine the consequences if an industrial control system were penetrated.  A threat actor could monitor or even take control of physical processes that are not only needed for some mission-critical application like cleaning wastewater in the case of public infrastructure, but could also involve large dangerous machinery, the disrupted operation of which could result in catastrophic safety hazard to employees.

 As promised, the question to be answered now is: How can industrial operators protect themselves against Log4J attacks? There are a few ways.

First of all, update the version of log4j being used in your system. The National Institute of Standards’ National Vulnerability Database has reported that log4shell – the name for the Log4j vulnerability – has been disabled from log4j 2.15.0 and completely removed from version 2.16.0. So if you can identify those pieces of software you’re using which employ Log4j and update them, this will solve your problem. It’s as simple as that.

Beyond that, the tried and true method of isolating any critical industrial control systems from external business networks or the broader internet continues to be of value. This enhances safety tremendously.

It’s also important to monitor any outgoing connections that do exist for cyber threats. Many industrial control systems produce outgoing communication in the form of messages pertaining to maintenance, metering, diagnostics, and more. So again, when these are absolutely necessary, they should be monitored for abnormalities.

Finally, operators should ensure that frequent backups are made and that very, very rigid backup procedures are in place. Because if you have a stable backup of your industrial control system, then God forbid if an incident does occur, you will be able to bring your system back online as quickly as possible.

The one final thing I would note is that this is not just something for end users of industrial control systems to pay attention to, but vendors and OEMS as well. They can assist in this process by openly announcing which of their products have Log4j vulnerabilities, and sharing information about how patches, remediations, and updates to fix these vulnerabilities can be implemented.

Other than that, that’s everything I have for you today, so I hope our viewers find this helpful. I’d also like to add that if you’ve had any personal experience with Log4j at your company and think you have valuable experience to share, we’d love to hear more about it. If you’d like to do so, you can reach me at [email protected]. Otherwise, that's all I have for you today.