Cybersecurity company Nozomi Networks Labs warns of vulnerabilities in Mitsubishi’s industrial control systems. The gaps were discovered at the end of 2020. They are in the authentication implementation of the Melsoft communication protocol of Mitsubishi’s Safety PLCs. The company has now confirmed the errors.
The Japanese manufacturer has now developed patches to fix the problems, Nozomi Networks Labs said. Software updates for safety PLCs or medical devices often take longer than for other software products. According to the providers, certain certification processes must first go through before patches can be released.
“Depending on the type of device and the regulatory framework, the certification process may be required for each individual software update,” write the researchers from Nozomi Networks Labs. “While we waited for the patch development and distribution process to be completed, we developed detection logic for the customers of our threat intelligence service. At the same time, we’ve started researching more general detection strategies that we can share with facility owners and the security community in general. “
Mitsubishi has only published several workarounds so far, although some of the vulnerabilities were already disclosed by ICS-CERT in January. The security researchers also assume that the vulnerabilities can also affect products from other manufacturers.