PT ISIM detects attacks and dangerous activity by Mitsubishi Electric controllers

Support for two new protocols will detect threats facing many Russian industrial enterprises

Positive Technologies has expanded the feature set of its hardware and software suite for deep traffic analysis, PT Industrial Security Incident Manager (PT ISIM), with a new expertise package. The update provides extended support for Mitsubishi Electric protocols.

"Mitsubishi Electric is in the top 3 in the global market for industrial automation solutions. The company’s products are in widespread use at Russian enterprises too," notes Ilya Kosynkin, Head of Product Development, PT ISIM. "To ensure interaction between components within the Mitsubishi Electric ecosystem, a proprietary protocol stack working on various transports is used. In the new expertise package, we’ve added support for the MELSOFT protocol and expanded support for SLMP."

SLMP (SeamLess Message Protocol) is an application protocol for interaction between controllers, SCADA systems, peripheral devices, and other technological equipment. Since SLMP service functions can significantly impact the security and integrity of the workflow, PT ISIM is triggered on the most important of them in case of an incident. Using the new expertise package, the product can detect, for example, when the PLC switches to stop or initialization mode, the password is enabled or disabled, or the file system is modified.

In turn, the MELSOFT protocol serves as an interface between engineering software (GX Works) and compatible Mitsubishi Electric controllers. During an earlier study of the protocol, Positive Technologies found vulnerabilities in the MELSEC series of PLCs related to incorrect processing of input data. In particular, CVE-2022-25161 causes a denial of service when writing data to memory with a specially matched offset. The new expertise package allows PT ISIM to parse MELSOFT, calculate potentially dangerous offsets, and report the threat to the operator. Another vulnerability, CVE-2022-25162, also results in denial of service and loss of access to PLCs via service ports. The new expertise package allows for verification of data written using MELSOFT. In the event of an attempt to exploit the vulnerability, PT ISIM logs the incident, notifies the operator, and transmit the event, for example, to MaxPatrol SIEM or IRP systems.

The new expertise package is available for PT ISIM 4.1 and newer. Users who are connected to the update server will be able to automatically download and install the product; for standalone installations, manual updates are available. For this, the package must be independently downloaded and installed in PT ISIM.