Log4j Cybersecurity Concerns in Industry

You’ve likely heard about the log4j cybersecurity vulnerability. Chances are, however, that you’ve mostly heard how this primarily affects public-facing internet systems. Some of the higher profile exploits of this vulnerability include penetration of Belgium’s defense ministry, several ransomware hackings, and taking control of computers to mine cryptocurrency, according to the Washington Post.

Though no incursions of industrial control systems via the log4j vulnerability have yet been reported, we do know that the potential exists. According to aDolus Technology, a supply chain cybersecurity provider, several million operations technology (OT) software packages use log4j. Most OT software suppliers use log4j because it is open-source software that effectively handles required logging tasks. aDolus explains that the log4j vulnerability (called Log4Shell) is “a result of overly-provisioned features enabled by…an insecure default configuration and the implicit trust of messages.”

The National Institute of Standards National Vulnerability Database reports that Log4Shell has been disabled from log4j 2.15.0 and completely removed from version 2.16.0.

If you don't know that the software you use contains log4j, you won't know whether you should patch or block certain traffic, or perhaps do nothing at all.

As with most cybersecurity correction measures, protecting your operations requires identification of the vulnerability in your systems. After all, as aDolus notes, if you don't know that the software you use contains log4j, you won't know whether you should patch or block certain traffic, or perhaps do nothing at all.

According to aDolus, a software bill of materials (SBOMs) is the “best tool for uncovering hidden vulnerabilities like Log4Shell.” The FACT platform from aDolus reportedly provides “enriched SBOMs that report all the subcomponents of a software package” and can be a valuable tool for cybersecurity assessments. Source code analysis is another option if you have access to the source code, but that's often not the case in the OT world, according to aDolus.

More detailed information about mitigating Log4Shell and other log4j-related vulnerabilities can be found at https://www.cisa.gov/uscert/ncas/alerts/aa21-356a.

ISA99 Update

As 2022 began, the ISA99 Committee on Industrial Automation Control Systems (IACS) Cybersecurity issued an update to stakeholders about its focus moving forward considering the ever-evolving cybersecurity threats facing industry.

Key aspects of this notice from the committee include:

62443-1-1 (Terminology, concepts, and models) – The first edition of this document was published by ISA in 2007 and later distributed as a technical specification by IEC. Since then, the committee’s understanding of the subject has evolved considerably, as reflected in the more detailed standards in the series. These changes have been incorporated into the second edition of 62443-1-1 that is currently circulating for review and comment in both ISA99 and IEC TC 65 WG 10.
62443-1-3 (Performance metrics for IACS security) – This technical report defines a methodology for the development of quantitative metrics derived from process and technical requirements defined in the ISA/IEC 62443 series. It has been circulated for review and comment and further revisions are underway.
62443-1-6 (Application of the ISA/IEC 62443 standards to the Industrial Internet of Things) – This technical report describes considerations for asset owners when they are deciding on the implementation of Industrial Internet of Things (IIoT) technologies and provides guidance on the requirements of the ISA/IEC 62443 series to clarify and mitigate any cybersecurity concerns. It will be circulated for review and comment in early 2022.
62443-2-3 (Security update [patch] management) – This technical report was published by ISA in 2015 to address the requirements for an effective automation system patch management program. A second edition has been completed and will soon be circulated for a second round of review and comment.
62443-2-2 (IACS security protection) – This document prescribes the requirements to perform a protection level rating during the operation of an automation system. It was recently circulated for review and comment.
62443-3-3 (System security requirements and security levels) – First published in 2013, this document prescribes the security requirements for control systems and assigns system security levels to the system under consideration. The committee is currently preparing a second edition.