Schneider Electric praised for positive response to ICS security flaw

Security notification

Before making the vulnerability public, Indegy contacted Schneider Electric, which responded by publishing a security notification and releasing a software update to fix the vulnerability. The company said all versions of the Unity Pro software prior to and including version 11.1 are affected.

“Security issues in control systems are widespread and continue to grow in numbers as researchers focus on uncovering them, but what impresses me most about this story is that Schneider was able to quickly respond to the issues and create an update that addresses the discovered security vulnerabilities,” said Mike Ahmadi, global director, critical systems security at Synopsys.

“This is a sign of a mature organisation with a solid cyber security incident management plan. As someone who has worked with Schneider in the past, I know they expend considerable effort in internal cyber security vulnerability testing, as well as incident response,” he added.

Neither Indegy nor Schneider Electric has confirmed whether there have been any known instances of the flaw being exploited by attackers.

This is not the first time a security flaw has been found in software produced by Schneider Electric. In 2015, a bug was identified that was linked to a series of vulnerabilities related to credential and authentication verification in two of the company’s human-machine interface (HMI) products that could have allowed an attacker to run arbitrary code, according to Threatpost.

In its 2015 annual vulnerability report, the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said more than half of reported vulnerabilities came from improper input validation (25%) and permissions, privileges and access controls (27%).

Other vulnerabilities were linked to poor code quality (6%), cryptographic issues (11%), credential management (19%) and improper resource controls (12%).

“Control systems and their components should never be accessible directly from the internet,” said Tim Erlin, director, product management at security firm Tripwire.

“While it may seem obvious to many people that control systems should not be directly accessible from the internet, it is also a fact that many of these systems are.”

Addressing the vulnerability

Although the Unity Pro vulnerability is serious, Erlin said the good news is that there are several steps control systems operators can take to address it, including a patch available from Schneider Electric.

“In cases where a system can’t be patched or otherwise protected, Schneider customers should be diligently monitoring for any hint of exploit activity,” he said.

Rod Schultz, vice-president of product at security firm Rubicon Labs, said remote code execution is one of many vulnerabilities for a digital system that has been connected to a network.

“While remote code execution attacks are sophisticated, once discovered, they are incredibly easy to reproduce, and an example of a type of attack that will be seen in the internet of things,” he said. “Security is becoming more important and, unfortunately, it is getting harder to do.”

According to Schultz, managed services for security and protection must be created to simplify these problems for device manufacturers and service providers.

“The world will not stop connecting devices to a network, and attackers are getting more and more motivated to attack this expanding target,” he said.