Spectre and Meltdown pose real threat to industrial control systems
- By Mark Rockwell
A growing list of industrial control systems vendors have told the Department of Homeland Security's Computer Emergency Readiness Team that some of their wares could contain Meltdown and Spectre microprocessor vulnerabilities.
Twelve makers of control systems used in industrial control and medical support systems told DHS Industrial Control Systems-CERT their gear could be affected by Meltdown and Spectre.
Meltdown and Spectre vulnerabilities sprawl across virtually all processor chips in computers and mobile devices. ICS-CERT asked ICS vendors for the information when the two wide-ranging vulnerabilities were disclosed in early January.
The two bugs both allow for side-channel exploitations of kernel memory, potentially allowing someone to steal data from a device as it is being processed.
Cybersecurity experts have said the flaws are not easily leveraged. In a statement in early January, DHS said it was not aware of any instances where the bugs have been actively exploited.
The vendors on ICS-CERT's list provided links to statements about the potential for the vulnerabilities and the need for patches. Some said they are still investigating their devices to determine if any have specific issues with the flaws, while other said they have determined potential flaws are present in some of their gear, explained those vulnerabilities and pointed to appropriate patches.
Several vendors also warned that operating system updates to mitigate the vulnerabilities can lead to considerable performance slowdowns.