All news with #ot security tag

🔧 Industrial AI initiatives collide with legacy OT realities: an AI-ready control room can still depend on an unpatched Windows 7 maintenance laptop that alone communicates with protection relays. The author reports pervasive visibility gaps across utilities and plants, noting fewer than 10% of OT networks have meaningful monitoring. AI trained on IT telemetry misclassifies normal industrial traffic and automated responses risk shutting down production; passive monitoring of Level 0–2 protocols and a focus on crown-jewel processes are essential before layering AI.

⚠ CISA reports multiple critical vulnerabilities in ScadaBR version 1.2.0, including missing authentication, OS command injection, CSRF, and hard-coded credentials. Successful exploitation could enable unauthenticated remote code execution, root command execution, arbitrary sensor injection, or full administrative access. The vendor did not respond to CISA requests; users should contact ScadaBR support and implement network-level mitigations immediately.

⚠️ A cross-site scripting vulnerability (CWE-79, CVSS v3 5.3) affects multiple Kieback & Peter DDC Building Controllers and can enable execution of arbitrary JavaScript in a victim's browser, potentially allowing attacker control of web sessions. Affected models include end-of-maintenance units (DDC4002, DDC4100, DDC4200, DDC4200-L, DDC4400) and e-series controllers (DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, DDC4040e). The vendor advises isolating legacy devices, restricting and disabling web access where possible, and updating e-series firmware to the specified versions (e.g., DDC520 -> 1.24.2; DDC4002e/DDC4200e/DDC4400e/DDC4020e/DDC4040e -> 1.23.5) while implementing defense-in-depth controls.

🔒 ABB published updates addressing a path traversal vulnerability (CWE-22, CVSS v3 7.1) affecting CoreSense HM and CoreSense M10. The flaw allowed unauthenticated local users to access restricted directories and could lead to full system compromise and sensitive data exposure. ABB fixed the issue in CoreSense HM v2.3.4 and CoreSense M10 v1.4.1.31 and recommends applying the update promptly. CISA republished the vendor advisory and advises network isolation, strict input validation, and restricting local host access to authorized users.

⚠️A buffer overflow in the User-ID™ Authentication Portal (Captive Portal) of Palo Alto Networks PAN-OS permits an unauthenticated attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets. Siemens has identified affected Siemens RUGGEDCOM APE1808 devices and is preparing fixes while recommending immediate mitigations. Recommended actions include disabling Response Pages on exposed interfaces, disabling the User-ID Authentication Portal if not required, and restricting portal access to trusted internal IP addresses; contact vendor support for patch information.

🔒 ABB disclosed multiple vulnerabilities in the WebPro SNMP Card PowerValue affecting earlier firmware releases. The flaws include an authentication bypass (the device validates only the first character of session cookies and tokens), insufficient session expiration and uncontrolled resource consumption that can cause DoS and Modbus instability on port 502. ABB issued fixes in v1.1.8.p and recommends contacting ABB Digital Service Support and applying defensive measures from the product manual.

🔒 CISA published an advisory describing a privilege-escalation vulnerability in Fuji Electric Tellus arising from a kernel driver that grants all users read and write permissions. Successful exploitation could elevate a user to system privileges and may enable temporary denial of service, file opening, or file deletion. The vendor recommends installing Tellus only with administrator privileges; CISA notes the issue is not remotely exploitable and no public exploitation has been reported. CISA advises implementing ICS defensive measures and following established reporting procedures.

🔒 CISA reports multiple authorization flaws and a CRLF injection affecting Subnet Solutions PowerSYSTEM Center. Authenticated users with limited permissions can expose administrative data via the REST API, delete project groups, or exploit SMTPS notification handling. Subnet Solutions advises upgrading to PSC 2020 Update 29, PSC 2024 Update 2, or the PSC 2026 GA Hotfix and contacting support for assistance.

⚠️ABB disclosed multiple vulnerabilities in AC500 V3 PLCs that can bypass user management, expose visualization files, compromise PKI certificates, or cause denial-of-service (CVE-2025-2595, CVE-2025-41659, CVE-2025-41691). The issues stem from forced browsing, a permission flaw in the optional CmpOpenSSL component, and a NULL pointer dereference in CmpDevice. ABB corrected the issues in firmware 3.9.0 via Automation Builder 2.9.0; no workarounds are available and customers should apply the update promptly.

⚠️ ABB reported a vulnerability in the Windows Gateway component of Automation Builder that leaves its TCP listener bound to all interfaces by default on port 1217, enabling remote discovery of AC500 PLCs. The gateway may be installed standalone or bundled with other setups such as CODESYS, and unauthenticated actors can scan for PLCs; PLC user management normally prevents control unless disabled. ABB advises restricting access by setting [CmpGwCommDrvTcp] LocalAddress=127.0.0.1 in Gateway.cfg and restarting the gateway, or upgrading to Automation Builder 2.9.0 where the default is local-only.

🔴 A 23-year-old university student in Taiwan was arrested after allegedly interfering with the country's TETRA-based communications for the Taiwan High Speed Rail (THSR). Authorities say he used SDR equipment and handheld radios to transmit a high-priority 'General Alarm' on April 5, forcing emergency brakes and halting four trains for 48 minutes. Investigators found decoded radio parameters and an accomplice who supplied critical THSR settings. Equipment including 11 radios, an SDR and a laptop were seized; the suspect faces criminal charges and was released on NT$100,000 bail.

⚠️ Hitachi Energy reported a directory traversal vulnerability (CVE-2018-1002208) affecting PCM600 product lines, including legacy 2.11 and several 3.x releases. The flaw resides in an affected SharpZipLib component (pre-1.0 RC1) and allows crafted ZIP archives to write files outside intended extraction directories, creating an integrity risk. Hitachi Energy recommends migrating to maintained 3.x builds, following vendor guidance and immediate mitigations such as network isolation, removal of default credentials, and secure remote access while awaiting a planned 3.1 SP4 update.

⚠ ABB reported a vulnerability in B&R Automation Runtime (ANSL-Server) that can be triggered remotely to cause a denial-of-service on affected nodes. The issue (CVE-2025-11044) is fixed in Automation Runtime 6.5 and R4.93. Apply the vendor patch promptly; interim mitigations include longer cycle times, limiting ANSL connections at the control-network firewall, and load testing before commissioning.

🔒 ABB has released an update for Automation Studio to address an improper certificate validation vulnerability affecting the OPC-UA and ANSL over TLS clients (CVE-2025-11043). An attacker with network access who can intercept or redirect communications could present forged certificates that pass validation, enabling interception or manipulation of data. The issue is fixed in Automation Studio 6.5; users should apply the update promptly and follow recommended network segmentation and secure remote-access practices. CISA rates this flaw as High (CVSS 7.4) and recorded no reports of active exploitation at publication.

⚠️ Johnson Controls' CEM AC2000 contains a DLL hijacking vulnerability (CVE-2026-21661) affecting versions 12.0, 11.0, and 10.6 that could allow a local, non‑privileged user to escalate privileges on the host. CISA assigns a CVSS v3.1 base score of 8.7 (High). The issue is not remotely exploitable and no public exploitation has been reported. Johnson Controls has released patched updates and recommends upgrading to the specified releases.

🔒 ABB has released an update addressing a logging issue in its B&R PVI client that could expose sensitive information. Affected versions are PVI <6.5.0>; the issue is fixed in PVI 6.5.0 (CVE-2026-0936). The vulnerability can allow an authenticated local attacker to read credentials written to client-side logs, although logging is disabled by default. Customers should apply the update promptly and limit client logging to troubleshooting only.

🛡️Organizations frequently assume IT security models apply to operational technology, but the article argues that OT demands a different approach because systems have long lifecycles, limited patching, and pervasive third‑party dependencies. The core issue at scale is governance: consistent decision rights, escalation logic and shared accountability across distributed sites. Boards should focus on concrete OT scenarios, clarify whether governance is centralized or federated, and insist on independent assurance rather than tool debates. The piece frames OT resilience as a leadership and governance challenge, not merely a technical one.

🔒 A joint guide from CISA and federal partners outlines how to adapt zero trust principles to operational technology (OT) environments while preserving safety and uptime. It details practical measures such as passive asset discovery, network segmentation, microsegmentation, identity and access controls tailored to legacy devices, and secure remote access via jump hosts with MFA. The guidance calls out risks from IT/OT convergence, including credential compromise, supply-chain vulnerabilities and malware that can disrupt physical processes. It emphasizes compensating controls where modern security features cannot be deployed, and the need for close IT–OT collaboration and integrated incident response.

🔒 CISA has instructed owners and operators of operational technology to stop assuming network safety and released joint guidance, Adapting Zero Trust Principles to Operational Technology, to apply Zero Trust to systems supporting power, water, transportation, building automation, and weapons-support infrastructure. The 28-page guide — developed with the Department of War, Department of Energy, FBI, State Department and NIST technical input — emphasizes assuming adversaries are inside, validating access by identity, context, and risk, and tailoring controls to OT constraints like latency and safety.

🔍 Researchers have reverse-engineered a sophisticated malware strain called Fast16, concluding it is almost certainly state-sponsored and likely of US origin. The malware was reportedly deployed against Iranian targets years before Stuxnet, and it propagates automatically across networks while avoiding overt disruption. Instead of crashing systems, Fast16 silently tampers with numerical computations inside specialized simulation and engineering applications, altering results in ways that can turn routine analyses into faulty designs or trigger catastrophic equipment failures.