OT/SCADA Security – Why the Log4j Vulnerability Matters to OT

Yesterday, WaterISAC sent a general advisory regarding the Log4j (CVE-2021-44228) vulnerability. Given the ubiquitous use of the Log4j Java logging library and ease and severity of exploitation, members are encouraged to review and take immediate action to assess the impact and address any vulnerability within their environments.

It is important to note that this vulnerability has impacts to both IT and OT/SCADA systems which use Java in their codebase. This vulnerability has the potential to impact any device (internet accessible or not) that accepts and logs user supplied data. Dragos highlights that Log4j has the potential to become a vulnerability that will persist within Industrial Control Systems (ICS) environments for years to come, including electric power, water, food and beverage, manufacturing, transportation, and more. Likewise, Dragos assesses with moderate confidence that as network defenders close off more simplistic exploit paths and advanced adversaries incorporate the vulnerability in their attacks, more sophisticated variations of Log4j exploits will emerge with a higher likelihood of directly impacting Operational Technology networks. Accordingly, Dragos provides recommendations for immediate implementation regarding three most likely scenarios facing OT operators responding to Log4j. Members are highly encouraged to visit Dragos for these detailed recommendations. Additionally, Dragos is hosting a webinar Thursday, December 16, on how to mitigate Log4j vulnerabilities in ICS/OT environments.

Finally, as a reminder, CISA published a webpage to help organizations track the most credible, up-to-date information regarding tactics, techniques, and procedures (TTPs) and mitigations. In addition, CISA created a community-sourced GitHub repository that it plans to populate with publicly available information and vendor-supplied advisories. In the meantime, the Netherlands Nationaal Cyber Security Centrum (NCSC-NL) is currently maintaining a GitHub repository with an extensive (but not all inclusive) list of all known vulnerable and not vulnerable software. While the NCSC-NL list includes OT vendors, members are encouraged to check with system integrators, ICS/OT, and IoT manufacturers for the most up-to-date status information/advisories.