Security Market Segment LS
Wednesday, 06 October 2021 23:49

Claroty finds three vulnerabilities in Honeywell's Experion Process Knowledge System


Claroty security researchers have disclosed three vulnerabilities in Honeywell's Experion PKS distributed content system which permit an attacker to execute malicious code, disrupt business processes, and perform denial of service attacks. Honeywell has issued patches.

Honeywell's Experion Process Knowledge System (PKS) is a unified distributed control system (DCS) for process, business, and asset management that helps industrial manufacturers increase profitability and productivity. It is used in large plants requiring high availability and continuous operations, controlling large industrial processes that comprise multiple controllers, I/O devices, and human-machine interfaces.

Claroty, an industrial cybersecurity company, identified three severe vulnerabilities in the product which would allow an attacker to modify a control component library with malicious code, load it to a controller where it is executed, and subsequently gain control of the insecure controller, disrupt business processes, perform denial of service attacks, and take other actions.

All versions of Honeweyll's C200, C200E, C300, and ACE controllers and simulators are vulnerable.

Honeywell has addressed these vulnerabilities and issued patches along with an advisory urging customers to update affected systems as soon as possible. The solution associates a signature file for each control component library, which will be validated before the library is used. Server software and controller firmware must all be updated to mitigate the issue.

Honeywell has not issued patches for all versions of its software, many customers will also need to upgrade to the latest point release for a given major Experion release to gain the benefits of the fix. Customers using custom control component libraries will also need to update these with appropriate signature files.

The Cybersecurity and Infrastructure Security Agency, ICS-CERT, has also published an advisory, ICSA-21-278-04, rating the vulnerabilities collectively at rank 10, the highest criticality score.

The severity of the vulnerabilities is significant, not only for the ramification on Experion users who will need to manage the upgrade of all their related equipment but because distributed control systems are often regarded as a ‘black box’ by cybersecurity researchers and relatively few vulnerabilities are disclosed because the equipment is difficult to obtain. Like many other types of industrial equipment these systems are not readily available for purchase online, nor are they simple or cheap to purchase and configure.

Thus, it is notable Claroty has identified these weaknesses. Claroty's researchers determined the Honeywell Experion PKS controllers and simulators communicate over TCP ports 55553 and 55555 with a proprietary Honeywell protocol for programming. Current logic may be changed by performing a download code procedure, and as part of this mechanism the Experion control builder software transfers compiled logic to the device then executes it. Claroty identified the Experion PKS is overly trusting, offering no sandbox environment, memory protection, or other restrictions that curtail the effects of malicious code.

While sandboxes are not foolproof, they are typically regarded as an essential component to limit the access of executable code to a bare minimum. Claroty’s researchers found they could mimic the download code procedure and send arbitrary executable files to simulators and controllers, with the device then duly loading the executables and running them without performing any check or sanitisation. This means attackers can run code remotely without authentication.

The attack requires a malicious party have a foothold in the industrial network to be able to use ports 55553 and 55555, given these would not typically be exposed to the Internet.

Honeywell's solution enforces cryptographic signing to ensure libraries have not been tampered with. Server software and controller firmware must all be updated.


Subscribe to ITWIRE UPDATE Newsletter here


It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News