Review – 2 Advisories Published – 6-2-22

 

Today, CISA’s NCCIC-ICS published two control system security advisories for products from Illumina and Carrier.

Illumina Advisory - This advisory describes five vulnerabilities in the Illumina Local Run Manager software.

Carrier Advisory - This advisory describes eight vulnerabilities in the Carrier HID Mercury access panels (sold by LenelS2 subsidiary).

Commentary

Quality control testing in both chemical and biological production facilities can provide a unique point of access to control system networks. While today’s Illumina vulnerabilities are directly related to software that controls laboratory equipment, today’s modern quality control laboratories maintain a network of connected instruments and instrument control systems to manage the testing and reporting of both in-process and final-product quality testing. Reports on that testing are frequently shared with customers, R&D, and sales personnel, frequently by email or shared data bases. Furthermore, the more integrated the manufacturing environment, the more likely it is that there is some network linkage between the QA lab and the production floor. Thus, a vulnerability in a piece of analytical equipment may ultimately provide access to control system networks.

 

For more information on these advisories, and a Down the Rabbit Hole report on a unique vulnerability reporting format, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-published-6-2-22 - subscription required.