Positive Technologies released an expertise package to detect cyberattacks on Yokogawa systems and helped to fix a dangerous vulnerability

The vendor was notified of the threat as part of the responsible disclosure policy and offered users an alternative authentication method.

Positive Technologies developed an expertise package for PT ICS, an integrated industrial cybersecurity platform. The package supports the systems of Yokogawa Electric Corporation. The platform users will be able to detect attacks on the CENTUM VP distributed control system (used by 10,000 chemical, power, oil and gas, food, water, pharmaceutical and other companies), as well as attacks on the ProSafe-RS safety system used in more than 24,000 projects.

The new expertise package allows users to determine the most popular attack vectors on distributed control systems: network failures and anomalies (substitution of a host address with an existing one or data backup difficulties), unauthorized access attempts (password manipulation and authentication system anomalies), as well as use of standard passwords.

When working on the expertise package, Positive Technologies expert Denis Alimov found the vulnerability CVE-2023-26593 (BDU:2022-05068), which scored 6.5 on the CVSS v3 scale. The vulnerability affected distributed control systems of various generations, such as CENTUM CS 1000 which has been produced since the 1990s. CENTUM CS 3000 and CENTUM VP R4—R6 were also affected. The Exaopc OPC1 servers used to connect industrial control systems by Yokogawa Electric Corporation with third-party software were also vulnerable. The vendor was notified about the vulnerability in new software versions and took measures to reduce the risk by offering users an alternative authentication method.

Denis Alimov, Senior Industrial Security Specialist at Positive Technologies, commented: "By exploiting the vulnerability, attackers could obtain high-privilege access rights to an industrial control system. This would allow them, for example, to control the process, lock or unlock it, as well as start and load process configurations. Attackers could also stop the PLC operation and change the thresholds of the equipment parameters and development settings (alarm indicators, sound, and others). In addition, hackers could block user access to the development environment and, consequently, to the industrial process control. According to the MITRE2 classification, this is a denial of control attack which can lead to serious consequences".

Some distributed control systems, including CENTUM CS 1000, CENTUM CS 3000, and CENTUM VP R4—R5, are no longer supported by the vendor and therefore do not receive updates. Any open vulnerabilities, such as CVE-2023-26593 (BDU:2022-05068), can affect the security of an industrial facility.

Thanks to the new package designed to prevent the exploitation of such vulnerabilities, PT ICS controls any changes that can be made to a project, as well as detects cases of abnormal startup, component locks, and the use of specialized software in hazardous modes. PT ICS automatically checks critical files, including firmware, for integrity and signs of compromise. The platform also registers physical security breaches, such as attempts to break into special industrial keyboards, in which the access level is regulated by a mechanical key. All this helps to ensure comprehensive protection of infrastructure based on Yokogawa Electric Corporation systems.

  1. A family of technologies for unified data exchange with any devices (https://en.wikipedia.org/wiki/Open_Platform_Communications).
  2. MITRE is a nonprofit technology organization that deals with cybersecurity.