You’d have to look far and wide to find an IT professional who isn’t aware of (and probably responding to) the Log4Shell vulnerability. The Operational Technology (OT) sector is no exception, yet the exact exposure the vulnerability poses to OT technology is yet to be fully uncovered.
The vulnerability was first made public earlier this month and you can learn more about it here, including information on the most recent patch. As the IT world continues to fortify their networks to defend against possible intrusions, OT environments may require a more focused approach.
The Potential Risk for the OT Sector
While we’re not aware of any published OT compromises, they’re an easy target for attackers looking to exploit Log4j given how pervasive it is in Java programs developed over the past decade.
One potential vector could target companies that have OT networks. Think about this hypothetical scenario: an attacker could gain initial access to the IT network through a vulnerable soft phone management system. After setting up that system to act as a proxy into the internal network, they may discover a vulnerable logging and monitoring system…