The Highway Addressable Remote Transducer (HART) Communications Protocol works with field devices to control parts in industrial control systems (ICS). It also collects data from sensors in order to monitor these industrial environments. The nature of this product makes security a priority, but researchers recently came across some flaws that could pose problems.
Applied Risk reported to SecurityWeek that it found several serious vulnerabilities in some products that use the WirelessHART networking technology. For instance, ProComSol has released an Android-based smart device communicator app for HART. Because of the way this app is configured, an attacker would only need knowledge of the vulnerabilities and an Android smartphone to carry out an exploit.
No Specifics on Networking Technology Vulnerabilities
Applied Risk hasn’t disclosed any specific details about the vulnerabilities of the networking technology since the software products at risk remain unpatched at this time. Vendors have been notified and are working on patches, according to Applied Risk.
The company did tell SecurityWeek that it identified several vulnerabilities in each of the products and brands analyzed. Some flaws share a common attack surface and are found on vulnerable devices around the world.
Unfortunately, the majority of the plants using them are most likely unaware of the risks, SecurityWeek reported. And with a lack of active monitoring systems in use throughout the related industries, an attack would probably go undetected.
“The most serious risk, however, is the loss of life in the case of explosions, especially in hazardous environments,” Jalal Bouhdada, the founder of Applied Risk, told SecurityWeek. “Alongside the potential impact to the environment, an attack could lead to significant reputational damage. End users and ICS suppliers must take a more proactive and thorough approach to testing — and implementing security measures to effectively tackle these threats.”
Others Have Found HART Problems
Applied Risk is not the only security firm to study the existence of vulnerabilities in HART-based devices. In 2014, for example, security researchers discovered that a widely used HART-related library was vulnerable to an exploit that could crash field devices. That issue was eventually fixed by Emerson Process Management.
Attacks on industrial control systems have been on the rise, according to an alert from the Industrial Control System Cyber Emergency Response Team (ICS-CERT). Whether this pathway will be severely exploited is not yet known, but users of the networking technology need to be aware of the potential danger.