Critical Flaws Exposed in Industrial Control Systems: Are Your Operations at Risk?
In a startling revelation, cybersecurity experts at Nozomi Networks have uncovered a series of vulnerabilities within AutomationDirect’s CLICK Plus Programmable Logic Controllers (PLCs), potentially jeopardizing industrial and commercial operations worldwide. These flaws, affecting wireless protocols and workstation software, could allow malicious actors to disrupt critical systems, from factory machinery to amusement park rides. But here's where it gets controversial: despite the severity of these issues, many organizations may still be unaware of the risks lurking in their networks.
Nozomi’s research, centered on the C2-03CPU-2 model—a device equipped with Wi-Fi and Bluetooth capabilities—revealed seven distinct vulnerabilities. These weaknesses were promptly reported to AutomationDirect, along with detailed technical insights to facilitate remediation. The C2-03CPU-2 was chosen for its widespread use in field deployments, where it’s often accessed via workstations and mobile devices. And this is the part most people miss: the proprietary UDP-based protocol used for communication, though designed for encryption and authentication, contains implementation flaws that could allow attackers to decrypt traffic and steal operator credentials.
The Protocol Under the Microscope
Nozomi researchers dissected the protocol’s connection phases, key exchanges, and message formats, uncovering vulnerabilities that could compromise confidentiality and integrity. For instance, the protocol’s encryption mechanisms, while theoretically robust, were undermined by poor implementation choices. This raises a thought-provoking question: how many other industrial systems rely on similarly flawed protocols, leaving them exposed to cyberattacks?
Expanding the Scope: Beyond the Network Protocol
The investigation didn’t stop at the network protocol. Nozomi also examined the software ecosystem supporting CLICK Plus devices, including the CLICK Programming Software and mobile applications for Android and iOS. These tools, essential for programming and managing the PLCs, were found to have vulnerabilities that could be exploited in tandem with protocol weaknesses.
Real-World Implications: From Factories to Fun Parks
CLICK Plus PLCs are ubiquitous in industrial and commercial settings, controlling everything from manufacturing lines to building automation systems. Their compact design, support for ladder-logic programming, and multiple communication interfaces (Ethernet, Wi-Fi, Bluetooth) make them versatile but also vulnerable. Imagine an attacker altering conveyor belt speeds in a factory or disabling safety interlocks on an amusement park ride—the consequences could be catastrophic.
The Attack Chain: How It Unfolds
To exploit these vulnerabilities, an attacker would first need access to the network hosting the PLC. While standard operational controls should prevent this, attackers can gain entry through physical access, exposed remote interfaces, compromised workstations, or misconfigured VPNs. Once inside, the attacker passively monitors network traffic, waiting for an operator to connect to the PLC. Upon detecting a login, they inspect the traffic, leveraging protocol flaws to decrypt it and extract credentials.
Disruption and Destruction: The Attacker’s Endgame
With stolen credentials, the attacker can authenticate to the PLC and manipulate its behavior. Nozomi researchers highlighted how attackers could alter conveyor belt speeds, disable safety mechanisms, or falsify sensor readings, leading to production halts, product defects, or even physical harm to operators. For example, CVE-2025-55038 allows attackers to manipulate I/O values even with lower-privilege credentials, showcasing the depth of these vulnerabilities.
Mapping to MITRE ATT&CK for ICS
These vulnerabilities align with several tactics in the MITRE ATT&CK for ICS framework. Protocol weaknesses enable attackers to recover keys, exfiltrate credentials, and manipulate I/O values. Additionally, session management flaws allow adversaries to disrupt telemetry, creating a sustained loss of visibility for operators. Weak cryptography and predictable key generation further exacerbate the risk, enabling passive decryption of sensitive operational data.
Controversial Counterpoint: Are Patches Enough?
AutomationDirect has released security patches for the CLICK Plus firmware and programming software, and CISA has published an advisory urging asset owners to update their systems. However, patching alone may not suffice. Many organizations struggle with patch management, leaving systems vulnerable. This raises another contentious question: should industrial systems rely solely on reactive measures like patching, or is a more proactive, holistic approach to cybersecurity needed?
Proactive Defense with Nozomi Networks
To address these challenges, Nozomi Networks offers its OT/IoT Security Platform, which provides deep visibility into network traffic and host activities. This enables organizations to detect vulnerabilities and threats across OT networks proactively. By leveraging such tools, security teams can minimize the impact of attacks and protect critical infrastructure.
Your Turn: What’s Your Take?
Do you think the industrial sector is doing enough to address cybersecurity risks? Are patches and advisories sufficient, or is a fundamental shift in approach required? Share your thoughts in the comments below—let’s spark a conversation that could shape the future of industrial cybersecurity.
