Log4j Cybersecurity Concerns in Industry – Automation World

Youve likely heard about the log4j cybersecurity vulnerability. Chances are, however, that youve mostly heard how this primarily affects public-facing internet systems. Some of the higher profile exploits of this vulnerability include penetration of Belgiums defense ministry, several ransomware hackings, and taking control of computers to mine cryptocurrency, according to the Washington Post.

Though no incursions of industrial controls systems via the log4j vulnerability have yet been reported, we do know that the potential exists. According to aDolus Technology, a supply chain cybersecurity provider, several million operations technology (OT) software packages use log4j. Most OT software suppliers use log4j because it is opensource software that effectively handles required logging tasks. aDolus explains that the log4j vulnerability (called Log4Shell) is a result of overly-provisioned features enabled byan insecure default configuration and the implicit trust of messages.

The National Institute of Standards National Vulnerability Database reports that Log4Shell has been disabled from log4j 2.15.0 and completely removed from version 2.16.0.

If you don't know that the software you use contains log4j, you won't know whether you should patch or block certain traffic, or perhaps do nothing at all.

As with most cybersecurity correction measures, protecting your operations requires identification of the vulnerability in your systems. After all, as aDolus notes, if you don't know that the software you use contains log4j, you won't know whether you should patch or block certain traffic, or perhaps do nothing at all.

According to aDolus, a software bill of materials (SBOMs) is the best tool for uncovering hidden vulnerabilities like Log4Shell. TheFACT platformfrom aDolus reportedly providesenriched SBOMsthat report all the subcomponents of a software package and can be a valuable tool for cybersecurity assessments. Source code analysis is another option if you have access to the source code, but that's often not the case in the OT world, according to aDolus.

More detailed information about mitigating Log4Shell and other log4j-related vulnerabilities can be found at https://www.cisa.gov/uscert/ncas/alerts/aa21-356a.

ISA99 Update

As 2022 began, the ISA99 Committee on Industrial Automation Control Systems (IACS) Cybersecurity issued an update to stakeholders about its focus moving forward considering the ever-evolving cybersecurity threats facing industry.

Key aspects of this notice from the committee include:

Read this article:

Log4j Cybersecurity Concerns in Industry - Automation World