Why it matters: One of the problems with industrial equipment is that it rarely gets patched for security flaws unless something isn't working and impeding production or causing other major issues. Microsoft's cybersecurity team has found several security flaws in a widely-used software development kit for programable logic controllers, so many machine builders and integrators will have to find a way to deploy the relevant patches as soon as possible.
Microsoft researchers believe they've identified not one, but multiple high-severity security vulnerabilities in widely-used industrial software that could be used by threat actors to "shut down power plants."
In the report, Microsoft threat intelligence specialist Vladimir Tokarev details no fewer than 15 flaws in the CODESYS V3 software development kit (SDK), which is used for millions of programmable logic controllers (PLC) in industrial environments worldwide. The vulnerabilities are tracked as CVE-2022-47379 through CVE-2022-47393 and have received severity ratings ranging from 7.5 to 10 out of 10.
More than 500 manufacturers of such equipment leverage the CODESYS V3 SDK to program over 1,000 different PLC models and develop custom automation applications across a variety of use cases, from CNC and robotics to motion control, power delivery for data centers, medical technology, and safety systems, to the automation of commercial and residential buildings. However, Microsoft's security team focused its efforts primarily on embedded code targeting devices from Wago and Schneider Electric.
While this simplifies the work of engineers, the embedded code that makes all of this possible is vulnerable to remote code execution and denial of service attacks. And while exploiting the 15 vulnerabilities requires an attacker to authenticate, that wouldn't be a major barrier for motivated threat actors looking to tamper with industrial operations in factories or energy infrastructure.
Microsoft reported its discovery to CODESYS in September 2022, and patches are being rolled out by the latter company to address the security flaws in question. The biggest priority for system admins should be to upgrade to CODESYS V3 v3.5.19.0 as soon as possible, while Microsoft security experts also recommend disconnecting PLCs, routers, and other relevant infrastructure from the Internet and segmenting it to lower the attack surface.
Additionally, the Microsoft 365 Defender team has released an open-source software tool that can help engineers and admins determine which devices in their infrastructure are vulnerable or if they've already been compromised.