Critical Vulnerabilities Found in Honeywell Experion® DCS Platforms: Crit.IX Unveils 9 Security Flaws

Armis and Honeywell have jointly disclosed “Crit.IX”, 9 new vulnerabilities that Armis researchers found in the Honeywell Experion® DCS platforms that could allow for unauthorized remote code execution on both legacy versions of the Honeywell server and controllers. If exploited this would allow an attacker to take over the devices and alter the operation of the DCS controller, whilst also hiding the alterations from the engineering workstation that manages the DCS controller. Exploitation of these vulnerabilities does not require authentication, only network access to the targeted devices. Potentially any compromised IT, IoT, and OT assets on the same network as the DCS devices could be leveraged for an attack.

In May 2022 Armis confirmed with Honeywell the discovery of 13 code issues found within the Experion C300 controller and server. These roll into 9 new vulnerabilities, 7 of them deemed critical. Due to the severity of these vulnerabilities and the impact, Honeywell and Armis have been working together to investigate these findings, understand the underlying issues, and work towards a patch. Honeywell has made available security patches and strongly advises all affected customers to patch immediately.

Key findings:

• Our research revealed weak points in the CDA protocol – a proprietary protocol designed by Honeywell that is used to communicate between Honeywell Experion Servers and C300 controllers. This protocol lacks encryption and proper authentication mechanisms in legacy. As a result, anyone with access to the network is able to impersonate both the controller and the server. In addition, there are design flaws in the CDA protocol which make it hard to control the boundaries of the data and can lead to buffer overflows.
• Honeywell also implements a CDA Data Client Named Access protocol on the Experion Server, which is used to communicate between Honeywell Experion® server and Experion® applications allowing for tag name access by these applications. Honeywell’s implementation of this protocol was found to contain 4 vulnerabilities that allow remote code execution (RCE) on the Experion Server.
• During the disclosure process we learned that due to reuse of the vulnerable code in other products, the vulnerabilities also affect Honeywell’s LX and PlantCruise platforms.

Affected Devices
The newly discovered vulnerabilities affect a variety of products across a range of versions in three Honeywell Experion DCS platforms. In the Experion Process Knowledge System (EPKS) platform (Experion Server and Experion Station). In LX and PlantCruise platforms (Engineering Station and Direct Station). In addition, the vulnerabilities affect the C300 DCS Controller, used across all three platforms.

Safeguarding Critical Infrastructure
Over the past few years we have seen a steady increase in notable attacks and vulnerabilities on Operational Technology (OT) targets highlighting the increasing risks faced by critical infrastructure systems.

One significant example was the attack on an Iranian steel mill, which was reportedly carried out by the “Predatory Sparrow” hacktivist group back in June 2022. The group stated that it caused a serious fire within the facility and even released a video that appeared to be CCTV footage, showing workers evacuating an area of the plant before a machine began emitting molten steel and fire. The attack is significant due to its rarity in causing physical damage, as most cyber attacks typically occur in the digital realm.

Another high-profile incident involved the Colonial Pipeline, one of the largest fuel pipelines in the United States. In May 2021, the pipeline suffered a ransomware attack that disrupted fuel supplies along the East Coast. The attack exploited vulnerabilities in the pipeline’s IT network, causing operational disruptions and triggering fuel shortages in various states. This event highlighted the interconnectedness between IT and OT systems and emphasized the need for robust cybersecurity measures across all aspects of critical infrastructure.

These examples serve as stark reminders of the growing threat landscape and the urgent need to bolster defenses, implement robust security measures, and promote collaboration between stakeholders to safeguard critical OT systems from potential attacks and vulnerabilities.

ICS vulnerabilities pose a significant risk to critical infrastructure, including power plants, manufacturing facilities, and oil refineries. Responsible vulnerability disclosure plays a crucial role in ensuring the protection of these systems from potential attacks and minimizing the impact on public safety and operational continuity.