Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Log4J Vulnerability: What, Why and How

What is Log4j?

Log4j is a software library built in Java that’s used by millions of computers worldwide running online services. It’s described as a zero-day (0 day) vulnerability and rated the highest severity under the Common Vulnerability Scoring System (CVSS; CVE-2021-44228). It was rated a 10 out of 10 on the CVSS, due to the potential impact that it can have if leveraged by attackers. This vulnerability allows attackers to remotely control and execute code on vulnerable machines.

While Log4j is maintained by Apache, it is utilized in many vendor applications and appliances as well as in custom-built systems. The following reference lists the known affected vendors as of December 12, 2021 but should not be considered definitive. Organizations should contact vendors directly for additional information.

Why is it Critical for Organizations to Take it Seriously?

This vulnerability, also known as Log4Shell, allows remote code execution in many applications through web requests and without authentication, which enables all the information technology (IT) and operational technology (OT) infrastructure.

Log4j vulnerability, which is both vendor-agnostic and affects both proprietary and open-source software, will leave several industries exposed to remote exploitation, including electric power, water, food and beverage, manufacturing, and transportation. Log4j is widely used in a variety of consumer and enterprise services, websites, and applications, as well as in OT products, to log security and performance information. The agency identified that an unauthenticated remote hacker could exploit this vulnerability to take control of an affected system.

Possible risks to OT:

  • Possible organizational impacts ranging from minimal, to a crippling attack and possible information theft, as well as a loss of service
  • Business operations disruption
  • The need to disclose where personal data was affected
  • Costs associated with incident response and recovery
  • Reputational damage

How Do You Protect Yourself?

Identify, Access, Prioritize, and Action: These are the 4 pillars which will help any OT industries to tackle this vulnerability in a well-approached manner. The severity of the Apache Log4j vulnerability is beginning to unravel in the industrial sector, as vendors begin to identify the presence of the cross-cutting vulnerability in their product lines.

  • Identify all the assets, including internet-facing and isolated assets that allows data inputs and use of Log4j java library anywhere in the communication stack.
  • Access the OT landscape of your organization and understand the risk vs. remediation approach. Update or isolate the affected asset based on this outcome.
  • Prioritize the critical vs. non-critical areas and work on mitigation strategies like monitoring for odd traffic patterns (e.g., JDNI LDAP/RMI outbound traffic, DMZ systems initiating outbound connections, etc.). Install or modify an existing Web Application Firewall (WAF) with rules to detect the presence of vulnerabilities.
  • Create an action team who will drive the incident response at all levels and keep the key stakeholders engaged with all the activities.

It is important to note that this vulnerability has impacts to both IT and OT which use Java in their codebase, and with the severity of this vulnerability, more sophisticated variations of Log4j exploits will emerge with a higher likelihood of directly impacting OT networks. Organizations will need to drive the approach from the bottom up, as once the networks and applications are identified the landscape can be pinpoint and the action plan can be drafted. Keep in mind that it is imperative to always stay up to date with advisories as it keeps updating.

Further reading:

Achal Lekhi
Achal Lekhi
Achal Lekhi is a diligent and detail-oriented operational technology security specialist professional with a strong academic background and hands-on experience in several complex roles in different sectors. Achal is a quick thinker, with an ability to wear multiple hats — strategic, technical and logical for a given requirement. He believes strongly that there is no problem in the world that does not have a solution! Currently, Achal works as an operational technology (OT) security consultant across several industries globally. He has an excellent blend of technology capability, OT/IT awareness, network and information security and risk and compliance with a detailed understanding and experience of implementing OT security and cybersecurity standards.

Related Posts

Practical Insights for Implementing Control System Security

Introduction In this blog post, we’ll share practical insights from operational experience in managing cy...
Pinakin Gokhale Nov 29, 2024 7:00:00 AM

Innovations in R&D: How AI Is Transforming Industrial Cybersecurity Operations

Industrial control systems are becoming more complex as evolved cyberattacks threaten industry functions....
Devin Partida Nov 15, 2024 7:00:00 AM

In Conversation with Authors of ISAGCA White Paper on Zero Trust and ISA/IEC 62443

The ISA Global Cybersecurity Alliance (ISAGCA) recently published a white paper exploring the application...
Kara Phelps Nov 8, 2024 12:00:00 PM