Yair Attar, Co-founder and CTO, OTORIO
The dust has settled a bit on the Log4j vulnerabilities, also known as CVE-2021-45046 (DOS), CVE-2021-45105 (DOS) and CVE-2021-44228 (Remote code execution vulnerability) and CVE-2021-45046 (DOS).
Today, almost two weeks after its December 9 announcement and a month or so since its discovery, we’ve got a handle on what it affects (nearly a third of all web serversa third of all web servers in the world, by one reckoning) and what the dangers are (more than 3,700,000 hacking attempts using the vulnerability as of December 17, according to Check Point).
That said, we also have a better idea of what exactly hackers are doing with the vulnerability and its variants, and are beginning to get an idea of how to defend against Log4j-based attacks. Below, I’ll lay out some concrete steps you can take today to help protect your OT network.
But first, how does this vulnerability affect OT networks, in general?
A key challenge with Log4j – as compared with previous supply chain attacks like SolarWinds - is that at this stage it's hard to identify exactly what's affected.
The vulnerability was found in a library that is used widely in many products – meaning it has the potential to affect multiple systems in any given network. In the coming days and weeks, machine builders, system manufacturers and application providers will start sharing exactly which of their systems are affected, releasing patches that will fix the vulnerability, and providing detailed mitigation plans.
Until this happens, here are four concrete steps you can take today.
Four Log4j Mitigation Steps
Additionally, organizations are urged to review and monitor the Apache Log4j Security Vulnerabilities webpage for updates and mitigation guidance and work closely with their providers and suppliers to monitor any updates on affected systems.
Nothing is bulletproof, of course - but all of the above could help. You will find additional information in a recent Incident Response Tip published by Dor Yardeni, OTORIO’s Director of Cybersecurity Services.
OTORIO clients can configure their RAM² to integrates with various data sources such as EDR, FW, WAF, and OTORIO’s proprietary tools. The broader the coverage, the more chances to detect log4j exploitation attempts.
Also, OTORIO’s spOT platform can provide automated risk assessment – helping harden your machines against any threat. In just hours, spOT creates a fully-updated OT, IT and IIOT asset inventory - including components, assemblies, complete machines, network segments, firewall configurations, connectivity between devices, protocols and more. For any factory, production floor, energy or infrastructure facility - spOT leverages multiple data sources to automatically assesses risk per OT asset, process or entire site and measures overall cybersecurity posture.