Researchers have found multiple vulnerabilities in MOXA ioLogik industrial controllers which are widely used in industrial facilities such as utilities and manufacturing plants. Code injection, weak password policies and lack of protection mechanisms allow hackers to execute arbitrary code within webpages and modify settings of vulnerable devices. Mark James, Security Specialist at ESET commented below.

Mark James, Security Specialist at ESET:

mark-james“Sadly most software will have flaws or vulnerabilities, what’s important is how quickly patches and fixes are created and made available for the end user to apply. This usually requires the user to download the patch and apply that to their environment thus fixing the vulnerability. The problem of course is making everyone that is affected aware of the initial problem and that there is a fix available.

Most of the flaws we see in the automation industry are proof of concept, it usually involves a specific environment to be in place but the impact could in some cases be catastrophic. Automation often involves heavy equipment doing precision work and if it fails it could cause thousands of pounds of damage. If that equipment were to go wrong around or close to humans then there is always the potential of injury or even death.”

It’s virtually impossible to have any software driven machinery that is 100% secure. The very nature of software dictates that’s there is always the possibility of someone somewhere finding a way to do something that was not intended to be done. What’s important is how quickly it’s fixed, as more and more automation takes place it’s important to ensure the security is taken very seriously.

Isolating systems and ensuring only physical access is required to update and maintain systems will keep the attack footprint down.”