Meet Armis at Black Hat 2024

Learn More
banner background
Research

Crit.IX

9 vulnerabilities discovered in Honeywell’s Experion® Platforms for Distributed Control Systems (DCS)

By Tom Gol, Armis Labs
Crit.IX hero

Dubbed “Crit.IX” – Armis researchers have found 9 new vulnerabilities in the Honeywell Experion® DCS platforms that could allow for unauthorized remote code execution on both legacy versions of the Honeywell server and controllers. If exploited this would allow an attacker to take over the devices and alter the operation of the DCS controller, whilst also hiding the alterations from the engineering workstation that manages the DCS controller. Exploitation of these vulnerabilities does not require authentication, only network access to the targeted devices. Potentially any compromised IT, IoT, and OT assets on the same network as the DCS devices could be leveraged for an attack.

In May 2022 Armis confirmed with Honeywell the discovery of 13 code issues found within the Experion C300 controller and server. These roll into 9 new vulnerabilities, 7 of them deemed critical. Due to the severity of these vulnerabilities and the impact, Honeywell and Armis have been working together to investigate these findings, understand the underlying issues, and work towards a patch. This has now been released (June 2023) and we encourage all affected customers to patch immediately.

Key findings:

  • Our research revealed weak points in the CDA protocol – a proprietary protocol designed by Honeywell that is used to communicate between Honeywell Experion Servers and C300 controllers. This protocol lacks encryption and proper authentication mechanisms in legacy. As a result, anyone with access to the network is able to impersonate both the controller and the server. In addition, there are design flaws in the CDA protocol which make it hard to control the boundaries of the data and can lead to buffer overflows.
  • Honeywell also implements a CDA Data Client Named Access protocol on the Experion Server, which is used to communicate between Honeywell Experion® server and Experion® applications allowing for tag name access by these applications. Honeywell’s implementation of this protocol was found to contain 4 vulnerabilities that allow remote code execution (RCE) on the Experion Server.
  • During the disclosure process we learned that due to reuse of the vulnerable code in other products, the vulnerabilities also affect Honeywell’s LX and PlantCruise platforms.

Affected devices

The newly discovered vulnerabilities affect a variety of products across a range of versions in three Honeywell Experion DCS platforms. In the Experion Process Knowledge System (EPKS) platform

(Experion Server and Experion Station). In LX and PlantCruise platforms (Engineering Station and Direct Station). In addition, the vulnerabilities affect the C300 DCS Controller, used across all three platforms.

Recent global events highlight the critical nature of Crit.IX

Over the past few years we have seen a steady increase in notable attacks and vulnerabilities on Operational Technology (OT) targets highlighting the increasing risks faced by critical infrastructure systems.

One significant example was the attack on an Iranian steel mill, which was reportedly carried out by the “Predatory Sparrow” hacktivist group back in June 2022. The group stated that it caused a serious fire within the facility and even released a video that appeared to be CCTV footage, showing workers evacuating an area of the plant before a machine began emitting molten steel and fire. The attack is significant due to its rarity in causing physical damage, as most cyber attacks typically occur in the digital realm.

Another high-profile incident involved the Colonial Pipeline, one of the largest fuel pipelines in the United States. In May 2021, the pipeline suffered a ransomware attack that disrupted fuel supplies along the East Coast. The attack exploited vulnerabilities in the pipeline’s IT network, causing operational disruptions and triggering fuel shortages in various states. This event highlighted the interconnectedness between IT and OT systems and emphasized the need for robust cybersecurity measures across all aspects of critical infrastructure.

These examples serve as stark reminders of the growing threat landscape and the urgent need to bolster defenses, implement robust security measures, and promote collaboration between stakeholders to safeguard critical OT systems from potential attacks and vulnerabilities.

ICS vulnerabilities pose a significant risk to critical infrastructure, including power plants, manufacturing facilities, and oil refineries. Responsible vulnerability disclosure plays a crucial role in ensuring the protection of these systems from potential attacks and minimizing the impact on public safety and operational continuity.

Armis takes responsible disclosure very seriously and is pleased to be able to work with Honeywell to find a route to support organizations who will be left exposed to these critical vulnerabilities.

What are the vulnerabilities?


Armis Technical White paper outlines the details of the vulnerabilities and how the Armis team found them – link can be found here

Affected devices

Crit.IX Affecte Devices Table

How can Armis help?

The development and deployment of patches to resolve vulnerabilities present in controllers and engineering workstations in OT environments is essential to reduce the attack surface. Due to the business criticality and their impact in operational processes, the release and installation of patches for these assets requires a very thorough QA process and most likely a maintenance and outage window, which can take a long period of time to coordinate and ultimately to complete. It is reasonable to assume that affected assets will remain vulnerable for a long period of time. During this time, mitigations can be implemented to detect and prevent attacks on these critical infrastructure assets.

Armis customers can leverage the Asset Intelligence and Security Platform to protect their network in the following ways:

  1. Achieve comprehensive Asset Visibility. By obtaining an accurate inventory that encompasses every aspect, from hardware to firmware and software version, organizations can effectively identify vulnerable servers and controllers in their environment.
  2. By implementing a Vulnerability Management program that prioritizes according to risk, organizations can effectively minimize their weak points and reduce the risk of exploits targeting devices without available patches. Moreover, promptly applying security patches upon their release will significantly decrease the window of vulnerability for these devices.
  3. Since the discovered vulnerabilities require only network access to a vulnerable device, Network Segmentation will go a long way in preventing exploitation of these vulnerabilities. By separating the network into distinct segments based on security levels or device types, organizations can limit the lateral movement of attackers, effectively containing potential threats and mitigating the impact on vulnerable devices. The segmentation effort in OT environments can be achieved using an industry reference model such as the Purdue Model, which represents a logical or functional view of OT environments and can be used to identify any deviations from OT assets expected behaviors, specially assets communicating to Level 0 and Level 1 from higher-level assets including assets in the IT networks. The segmentation can be achieved by understanding these asset behaviors in order to whitelist only the expected ones.
  4. Experience has shown that even well protected networks are susceptible to breaches. Thus, it becomes imperative to implement a robust Threat Detection system capable of identifying exploit attempts spanning the entire network and encompassing all devices, including IT, OT, and IoT. Employing a blend of detection techniques, including signature-based analysis, anomaly detection, and indicators of compromise (IOCs), adds an extra layer of security, augmenting the overall defensive posture in the event of an attack.

Additional Resources