Cybersecurity at the Forefront of Industry Concerns in Early 2022

Jan. 4, 2022
Log4j presents industry with another serious security concern as the new year begins. Meanwhile, ISA 99 updates its cybersecurity approach.
Log4j 61d4672fcad96

You’ve likely heard about the log4j cybersecurity vulnerability. Chances are, however, that you’ve mostly heard how this primarily affects public-facing internet systems. Some of the higher profile exploits of this vulnerability include penetration of Belgium’s defense ministry, several ransomware hackings, and taking control of computers to mine cryptocurrency, according to the Washington Post.

Though no incursions of industrial control systems via the log4j vulnerability have yet been reported, we do know that the potential exists. According to aDolus Technology, a supply chain cybersecurity provider, several million operations technology (OT) software packages use log4j. Most OT software suppliers use log4j because it is open-source software that effectively handles required logging tasks. aDolus explains that the log4j vulnerability (called Log4Shell) is “a result of overly-provisioned features enabled by…an insecure default configuration and the implicit trust of messages.”

The National Institute of Standards National Vulnerability Database reports that Log4Shell has been disabled from log4j 2.15.0 and completely removed from version 2.16.0.

If you don't know that the software you use contains log4j, you won't know whether you should patch or block certain traffic, or perhaps do nothing at all.

As with most cybersecurity correction measures, protecting your operations requires identification of the vulnerability in your systems. After all, as aDolus notes, if you don't know that the software you use contains log4j, you won't know whether you should patch or block certain traffic, or perhaps do nothing at all.

According to aDolus, a software bill of materials (SBOMs) is the “best tool for uncovering hidden vulnerabilities like Log4Shell.” The FACT platform from aDolus reportedly provides “enriched SBOMs that report all the subcomponents of a software package” and can be a valuable tool for cybersecurity assessments. Source code analysis is another option if you have access to the source code, but that's often not the case in the OT world, according to aDolus.

More detailed information about mitigating Log4Shell and other log4j-related vulnerabilities can be found at

 ISA99 Update

As 2022 began, the ISA99 Committee on Industrial Automation Control Systems (IACS) Cybersecurity issued an update to stakeholders about its focus moving forward considering the ever-evolving cybersecurity threats facing industry.

Key aspects of this notice from the committee include:

  • 62443-1-1 (Terminology, concepts, and models) – The first edition of this document was published by ISA in 2007 and later distributed as a technical specification by IEC. Since then, the committee’s understanding of the subject has evolved considerably, as reflected in the more detailed standards in the series. These changes have been incorporated into the second edition of 62443-1-1 that is currently circulating for review and comment in both ISA99 and IEC TC 65 WG 10.
  • 62443-1-3 (Performance metrics for IACS security) – This technical report defines a methodology for the development of quantitative metrics derived from process and technical requirements defined in the ISA/IEC 62443 series. It has been circulated for review and comment and further revisions are underway.
  • 62443-1-6 (Application of the ISA/IEC 62443 standards to the Industrial Internet of Things) – This technical report describes considerations for asset owners when they are deciding on the implementation of Industrial Internet of Things (IIoT) technologies and provides guidance on the requirements of the ISA/IEC 62443 series to clarify and mitigate any cybersecurity concerns. It will be circulated for review and comment in early 2022.
  • 62443-2-3 (Security update [patch] management) – This technical report was published by ISA in 2015 to address the requirements for an effective automation system patch management program. A second edition has been completed and will soon be circulated for a second round of review and comment.
  • 62443-2-2 (IACS security protection) – This document prescribes the requirements to perform a protection level rating during the operation of an automation system. It was recently circulated for review and comment.
  • 62443-3-3 (System security requirements and security levels) – First published in 2013, this document prescribes the security requirements for control systems and assigns system security levels to the system under consideration. The committee is currently preparing a second edition. 
About the Author

David Greenfield, editor in chief | Editor in Chief

David Greenfield joined Automation World in June 2011. Bringing a wealth of industry knowledge and media experience to his position, David’s contributions can be found in AW’s print and online editions and custom projects. He is also the chief program architect of the annual Automation World Conference & Expo. Earlier in his career, David was Editorial Director of Design News at UBM Electronics, and prior to joining UBM, he was Editorial Director of Control Engineering at Reed Business Information, where he also worked on Manufacturing Business Technology as Publisher. 

Sponsored Recommendations

Measurement instrumentation for improving hydrogen storage and transport

Hydrogen provides a decarbonization opportunity. Learn more about maximizing the potential of hydrogen.

Learn About: Micro Motion™ 4700 Config I/O Coriolis Transmitter

An Advanced Transmitter that Expands Connectivity

Learn about: Micro Motion G-Series Coriolis Flow and Density Meters

The Micro Motion G-Series is designed to help you access the benefits of Coriolis technology even when available space is limited.

Micro Motion 4700 Coriolis Configurable Inputs and Outputs Transmitter

The Micro Motion 4700 Coriolis Transmitter offers a compact C1D1 (Zone 1) housing. Bluetooth and Smart Meter Verification are available.