Food Engineering logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • PRODUCTS
  • TOPICS
  • EXCLUSIVES
  • MEDIA
  • FOOD MASTER
  • EVENTS
  • RESOURCES
  • EMAGAZINE
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Latest Headlines
  • Manufacturing News
  • People & Industry News
  • Plant Openings
  • Recalls
  • Regulatory Watch
  • Supplier News
  • PRODUCTS
  • New Plant Products
  • New Retail Products
  • TOPICS
  • Alternative Protein
  • Automation
  • Cannabis
  • Cleaning | Sanitation
  • Fabulous Food Plants
  • Food Safety
  • Maintenance Strategies
  • OEE
  • Packaging
  • Sustainability
  • More
  • EXCLUSIVES
  • Plant Construction Survey
  • Plant of the Year
  • Sustainable Plant of the Year
  • State of Food Manufacturing
  • Top 100 Food & Beverage Companies
  • MEDIA
  • Podcasts
  • Videos
  • Webinars
  • White Papers
  • EVENTS
  • Food Automation & Manufacturing Symposium and Expo
  • Industry Events
  • RESOURCES
  • eNewsletter
  • Custom Content & Marketing Services
  • FE Store
  • Government Links
  • Industry Associations
  • Market Research
  • Classified Ads
  • EMAGAZINE
  • eMagazine
  • Archive Issue
  • Advertise
Food Engineering logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Food Engineering logo
  • NEWS
    • Latest Headlines
    • Manufacturing News
    • People & Industry News
    • Plant Openings
    • Recalls
    • Regulatory Watch
    • Supplier News
  • PRODUCTS
    • New Plant Products
    • New Retail Products
  • TOPICS
    • Alternative Protein
    • Automation
    • Cannabis
    • Cleaning | Sanitation
    • Fabulous Food Plants
    • Food Safety
    • Maintenance Strategies
    • OEE
    • Packaging
    • Sustainability
    • More
  • EXCLUSIVES
    • Plant Construction Survey
    • Plant of the Year
    • Sustainable Plant of the Year
    • State of Food Manufacturing
    • Top 100 Food & Beverage Companies
  • MEDIA
    • Podcasts
    • Videos
    • Webinars
    • White Papers
  • FOOD MASTER
  • EVENTS
    • Food Automation & Manufacturing Symposium and Expo
    • Industry Events
  • RESOURCES
    • eNewsletter
    • Custom Content & Marketing Services
    • FE Store
    • Government Links
    • Industry Associations
    • Market Research
    • Classified Ads
  • EMAGAZINE
    • eMagazine
    • Archive Issue
    • Advertise
  • SIGN UP!
Manufacturing NewsProcessing

Manufacturing News

Log4j vulnerability: New IT/OT threat with lots of dangerous potential everywhere

Log4j zero-day vulnerability

The Log4j zero-day vulnerability has been shipped since 2014 in countless numbers of hardware devices and software products, so there are millions of copies of it buried in everything from cell phones to industrial control equipment. Photo courtesy of Wayne Labs

February 3, 2022

Just when IT and OT professionals were feeling a little more comfortable in preventing and tackling ransomware/malware attacks, they have something new to worry about—and potentially just as insidious—the Log4j vulnerability. While this potential threat doesn’t pose much of a problem for most Microsoft Windows systems, nevertheless it is worrisome for any device running certain Apache Foundation software—and that can affect everything from cell phones and tablets to Linux servers to OT devices—and potentially to Windows Servers running Apache software.

FE_Mfg_News-Lead-02-22-Lead-EricByres-copy.jpgLog4j has been a big issue for suppliers of ICS (industrial control systems) equipment. But there’s not a single OT vendor that doesn’t have the Log4j software somewhere in their product line, says Eric Byres P.Eng., CTO at aDolus Technology and ISA Fellow. “Plus this is a trivial exploit, so the hackers are loving it,” adds Byres.

Byres is inventor of the Tofino Security firewall technology for industrial controllers and has provided guidance to government security agencies and major energy companies on critical infrastructure protection, chaired the ISA SP-99 Security Technologies Working Group and testified to the U.S. Congress on the security of industrial control systems in national critical infrastructures.

What is Log4j?

Log4j is a Java-based logging library used in a variety of consumer and enterprise services, websites, applications and OT products. These vulnerabilities, especially Log4Shell, are severe, according to the Cybersecurity & Infrastructure Security Agency (CISA).

Log4j is open source software provided by the Apache Software Foundation. It records events—errors and routine system operations—and communicates diagnostic messages about them to system administrators and users. An analogous example can be found in the Windows system Event Viewer, but since it’s proprietary to Microsoft, it isn’t affected by the Log4j vulnerability.

Unfortunately, the Log4Shell uses a feature in Log4j that allows users to write custom code for formatting a log message. Besides tracking user names (real names) and creating log messages, Log4j allows third-party servers to submit code that can perform actions on a targeted computer, which allows hackers to steal sensitive information, take control of a targeted system and slip malicious content to users contacting the hacked server.

Fortunately, Microsoft is largely absolved from this vulnerability. “This isn’t really a Microsoft-related problem, as Log4j is an Apache Foundation product for Java,” says Byres. “So I’d expect that Microsoft products like Active Directory or their operating systems will not be affected since their use of Java is limited. However, there are Microsoft services like SQL Server 2019 Big Data Clusters that are affected. The real issues that we are seeing are the applications running on Microsoft products that may use Log4j and thus, be susceptible to these vulnerabilities.”

What about internet routers and DNS servers? “My initial guess is that most of the core internet routing hardware or DNS servers will not be affected,” says Byres. “The risk is likely with management server applications that monitor and supervise these critical devices—in other words, anything consuming logs from other devices.”

“We are seeing that 90% of the OT vendors have at least one affected product.”

Unfortunately, vulnerabilities turn into attacks

The vulnerability is almost too widespread to comprehend. “With the FACT platform, we have access to a database of about 45 million software packages and components used in the OT space,” says Byres. “We are seeing that 90% of the OT vendors have at least one affected product, and some, like Siemens, have hundreds.”

Tenable, a cybersecurity firm, expects to see several waves of iteration on this exploit, resulting in more aggressive damage that may be impossible to stop. According to telemetry data from Tenable, as of December 2021, only 70% of organizations have even scanned for the vulnerability. Of the assets that have been assessed, Log4Shell has been found in approximately 10%—including a wide range of servers, web applications, containers and IoT devices. Log4Shell is pervasive across all industries and geographies.

This zero-day bug has been in a proof-of-concept, but there have already been attacks. “Unfortunately, there are lots of active attacks occurring,” says Byres. “The government security agencies like CISA and private services like Sophos and CloudFlare are all reporting active exploitation of the vulnerability. It is clear that both adversaries and security researchers are attempting to identify vulnerable hosts on the internet and take them over. Even the ransomware community is seeing this vulnerability as a golden opportunity. They will focus on getting access to their victims now and then launch the ransomware attacks at their convenience later.”

“Unfortunately, your readers should probably be very worried. The vulnerable Log4j software was initially released in 2014 so there have been seven years of shipping software that could be vulnerable.”

What CISA advises

In Alert (AA21-356A), “Mitigating Log4Shell and Other Log4j-Related Vulnerabilities,” CISA details further steps that vendors and organizations with IT and/or cloud assets should take to reduce the risk posed by these vulnerabilities.

These steps include:

  • Identifying assets affected by Log4Shell and other Log4j-related vulnerabilities
  •  Upgrading Log4j assets and affected products to the latest version as soon as patches are available and remaining alert to vendor software updates
  • Initiating hunt and incident response procedures to detect possible Log4Shell exploitation

Easier said than done?

While it’s great that CISA provides these steps, actually taking them could be a real challenge.

“Mitigation is impossible if you don’t even know if you’ve got the vulnerability,” says Byres. “Unfortunately, most OT companies won’t know what products contain Log4j. And if they don’t know that the software they’ve deployed on the plant floor contains the Log4j software, they won’t know to patch or block evil traffic until it is too late and they are compromised. As Jen Easterly, the head of CISA said, this vulnerability is ‘one of the most serious I’ve seen in my entire career, if not the most serious.’”

A major obstacle is that Log4j has been embedded in software products for some time. “Unfortunately, your readers should probably be very worried,” adds Byres. “The vulnerable Log4j software was initially released in 2014 so there have been seven years of shipping software that could be vulnerable. As we scan our database of software bills of materials (SBOMs) for ICS products, we see that Log4j software is widely deployed in OT products by many OEMs.”

Is this vulnerability like SolarWinds?

Some people have been comparing the Log4j vulnerability to SolarWinds, but they are not really comparable, says Byres. “One was a deliberate and sophisticated attack, and the other is a widespread vulnerability. They may be [similar] when we consider long-term impact.”

The Log4j issue is far less sophisticated and is more of a commodity attack opportunity, which is good, because it’s not as stealthy, i.e. it wasn’t hidden into a vendor’s legitimate product and upgrade pipeline, says Byres. The bad news is that it is easy to execute, so many more threat actors will take advantage of it. The other bad news is it will invisibly live on within many products, and many of those products will go without fixes until they are retired.

A patch can’t undo an already compromised host, says Byres. Similar to the SolarWinds case, patches to software containing Log4j don’t completely address the risk. They may remove the attack vector, provided that a company hasn’t already been compromised, but many companies are not in a position to know if they were compromised.

Like SolarWinds, the log4j vulnerability highlights the challenge of third-party risk management that the industry is facing today. Asset owners and governments will certainly demand more visibility into what exactly they are buying when they purchase a software or hardware “solution.” Suppliers will be scrambling to provide this information, and it will be an interesting few months, Byres adds.

“The bad news is that it is easy to execute, so many more threat actors will take advantage of it. The other bad news is it will invisibly live on within many products, and many of those products will go without fixes until they are retired.”

Help is available

At the time of writing this report, tools are becoming available, and expert help is available from aDolus Technology (https://adolus.com/vulnerabilities/log4j/) and Tenable (www.tenable.com), which both specialize in OT security. CISA has released an Apache Log4j scanner to find vulnerable applications, according to Sergiu Gatlan on Bleeping Computer.com. “This scanning solution builds upon similar tools, including an automated scanning framework for the CVE-2021-44228 bug (dubbed & Log4Shell) and developed by cybersecurity company FullHunt,” says Gatlan. More about the scanner can be found on GitHub at https://github.com/cisagov/log4j-scanner/tree/master/log4-scanner#features.

Resources

“Apache Log4j Vulnerability Guidance,” Cybersecurity & Infrastructure Security Agency (CISA), https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance

KEYWORDS: cybersecurity food packaging technology IT security OT

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
to unlock your recommendations.

Already have an account? Sign In

  • Global Organic Food & Beverage Market to Grow

    Global Organic Food & Beverage Market to Grow

    With a CAGR of 12.07%, Bonafide Research estimates this...
    People & Industry News
  • skilled MEP worker

    Predicting Food and Beverage Manufacturing Trends for 2024

    The two words that should be kept in mind are labor and...
    Automation
    By: Derrick Teal
  • cleaning and sanitation

    The basics of cleaning and sanitation in food plants

    Sanitation maintains or restores a state of cleanliness...
    Food Safety
    By: Richard F. Stier
Subscribe For Free!
  • eMagazine
  • eNewsletter
  • Online Registration
  • Manage My Preferences
  • Customer Service

OT Cybersecurity Vulnerabilities in Food Manufacturing Facilities

OT Cybersecurity Vulnerabilities in Food Manufacturing Facilities

Understanding Impacts of OT Cybersecurity Events in Food Manufacturing

Understanding Impacts of OT Cybersecurity Events in Food Manufacturing

Food Plant Openings and Expansions April 2025

Food Plant Openings and Expansions April 2025

FA&M 2025 in Rewind

FA&M 2025 in Rewind

More Videos

Popular Stories

Conagra Logo

Conagra Brands to Sell Chef Boyardee Brand to Hometown Food Company

Salt

FDA to Amend Standards of Identity to Include Salt Substitutes

Butterfly pea flower

FDA Approves Three Food Colors from Natural Sources

CHECK OUT OUR NEW ESSENTIAL TOPICS

Alternative ProteinAutomationCleaning/SanitationFabulous Food Plants

Food SafetyMaintenance StrategiesOEE

PackagingSustainability

Events

June 5, 2025

Mass Customization Driving Innovation in the Food and Beverage Industry

The food and beverage industry is at the nexus of transformative global manufacturing trends, driving a shift toward personalized, customer-centric solutions. 

June 5, 2025

How Cafe Spice Uses Automation to Propel Private Label

Learn about Cafe Spice’s new, state-of-the-art, highly automated manufacturing facility in Beacon, New York. 

View All Submit An Event

Products

Recent Advances in Ready-to-Eat Food Technology

Recent Advances in Ready-to-Eat Food Technology

See More Products

Plant of the Year

Related Articles

  • stainless steel, twin-screw mixer

    Potato producer mixes it up with new equipment

    See More
  • New ISA99 standard addresses risks of IT cybersecurity solutions

    New ISA99 standard addresses risks of IT cybersecurity solutions

    See More
  • The future of food safety is in the cloud

    IBM launches new community to help developers with Internet of Things

    See More

Related Products

See More Products
  • food proces.jpg

    Food Process Engineering Emerging Trends in Research and Their Applications

  • Functionalized_Carbohydrate.gif

    Functionalizing Carbohydrates for Food Applications

  • 9781138081420.jpg

    Ultraviolet Light in Food Technology: Principles and Applications, 2nd Edition

See More Products
×

Elevate your expertise in food engineering with unparalleled insights and connections.

Get the latest industry updates tailored your way.

JOIN TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Food Master
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Food Engineering logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Food Engineering logo
  • NEWS
    • Latest Headlines
    • Manufacturing News
    • People & Industry News
    • Plant Openings
    • Recalls
    • Regulatory Watch
    • Supplier News
  • PRODUCTS
    • New Plant Products
    • New Retail Products
  • TOPICS
    • Alternative Protein
    • Automation
    • Cannabis
    • Cleaning | Sanitation
    • Fabulous Food Plants
    • Food Safety
    • Maintenance Strategies
    • OEE
    • Packaging
    • Sustainability
    • More
  • EXCLUSIVES
    • Plant Construction Survey
    • Plant of the Year
    • Sustainable Plant of the Year
    • State of Food Manufacturing
    • Top 100 Food & Beverage Companies
  • MEDIA
    • Podcasts
    • Videos
    • Webinars
    • White Papers
  • FOOD MASTER
  • EVENTS
    • Food Automation & Manufacturing Symposium and Expo
    • Industry Events
  • RESOURCES
    • eNewsletter
    • Custom Content & Marketing Services
    • FE Store
    • Government Links
    • Industry Associations
    • Market Research
    • Classified Ads
  • EMAGAZINE
    • eMagazine
    • Archive Issue
    • Advertise
  • SIGN UP!