The Log4j vulnerabilities have been plaguing the security industry for more than a week.
The good news is that security researchers have seen a decrease in malicious attempts to exploit.
A key question still remains: how does Log4j affect OT security in particular? OT typically is running very old and very outdated software. There's also a ton of cloud information around what actually constitutes "secure" in OT, with various 'guidance' from authority bodies.
Nick Cappi, Hexagon PPM shared his thoughts on what Log4J means for the OT sector in particular:
For the last few years every OT vendor, analyst, and security standard has talked about the importance of having a comprehensive inventory. All of this conversation has happened without a clear definition of what a comprehensive inventory actually includes. The lack of definition of what makes an inventory comprehensive causes confusion with the owners/operators of industrial facilities, many think they have a “comprehensive inventory” until they try to use it. Events like “Wanna Cry” or now “Apache Log4j” send owners/operators of industrial facilities into scramble mode trying to identify if they are impacted and the locations of the weakness; this is because their inventory isn’t comprehensive enough to answer the question. Events like this are unfortunate but highlight the need for a “comprehensive inventory."
###