Narong Jongsirikul - Fotolia
Schneider Electric has won praise for its quick response to the discovery of a security vulnerability in its Unity Pro industrial controller management software.
But the flaw has once again highlighted the vulnerability of industrial control systems (ICSs), particularly as more and more such systems become connected to the internet.
Indegy noted that although anyone who has access to a control network has access to all of its industrial controllers because they typically lack authentication mechanisms and because industrial communication protocols typically lack encryption, some vulnerabilities can pose “exceptional risk” to ICS networks.
The vulnerability in Unity Pro allows any user to execute code directly on any computer on which the product is installed using debug privileges, said Indegy.
The flaw resides in a component of Unity Pro software called Unity Pro PLC Simulator, which is used to test industrial controllers, according to Indegy.
The flaw is of particular concern because Unity Pro is present in every control network in the world that uses Schneider Electric programmable logic controllers (PLCs), which makes virtually any process controlled by these PLCs vulnerable.
“If the IP address of the Windows PC running the Unity Pro software is accessible to the internet, then anyone can exploit the software and run code on hardware,” Mille Gandelsman, CTO of Indegy, told Threatpost. “This is the crown jewel of access. An attacker can do anything they want with the controllers themselves.”
Before making the vulnerability public, Indegy contacted Schneider Electric, which responded by publishing a security notification and releasing a software update to fix the vulnerability. The company said all versions of the Unity Pro software prior to and including version 11.1 are affected.
“Security issues in control systems are widespread and continue to grow in numbers as researchers focus on uncovering them, but what impresses me most about this story is that Schneider was able to quickly respond to the issues and create an update that addresses the discovered security vulnerabilities,” said Mike Ahmadi, global director, critical systems security at Synopsys.
“This is a sign of a mature organisation with a solid cyber security incident management plan. As someone who has worked with Schneider in the past, I know they expend considerable effort in internal cyber security vulnerability testing, as well as incident response,” he added.
Neither Indegy nor Schneider Electric has confirmed whether there have been any known instances of the flaw being exploited by attackers.
Read more about industrial control systems security
- The UK needs to develop awareness of the vulnerability of industrial control systems to cyber attack and technology-specific security systems, says researcher.
- Industrial control systems should be securely managed by the enterprise, specifically when suppliers need access to them.
- Targeted attacks on industrial control systems are the biggest threat to critical national infrastructure, says Kaspersky Lab.
- Hackers have been penetrating industrial control systems for at least a decade for extortion, yet little is known about how they gain access.
This is not the first time a security flaw has been found in software produced by Schneider Electric. In 2015, a bug was identified that was linked to a series of vulnerabilities related to credential and authentication verification in two of the company’s human-machine interface (HMI) products that could have allowed an attacker to run arbitrary code, according to Threatpost.
In its 2015 annual vulnerability report, the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said more than half of reported vulnerabilities came from improper input validation (25%) and permissions, privileges and access controls (27%).
Other vulnerabilities were linked to poor code quality (6%), cryptographic issues (11%), credential management (19%) and improper resource controls (12%).
“Control systems and their components should never be accessible directly from the internet,” said Tim Erlin, director, product management at security firm Tripwire.
“While it may seem obvious to many people that control systems should not be directly accessible from the internet, it is also a fact that many of these systems are.”
Addressing the vulnerability
Although the Unity Pro vulnerability is serious, Erlin said the good news is that there are several steps control systems operators can take to address it, including a patch available from Schneider Electric.
“In cases where a system can’t be patched or otherwise protected, Schneider customers should be diligently monitoring for any hint of exploit activity,” he said.
Rod Schultz, vice-president of product at security firm Rubicon Labs, said remote code execution is one of many vulnerabilities for a digital system that has been connected to a network.
“While remote code execution attacks are sophisticated, once discovered, they are incredibly easy to reproduce, and an example of a type of attack that will be seen in the internet of things,” he said. “Security is becoming more important and, unfortunately, it is getting harder to do.”
According to Schultz, managed services for security and protection must be created to simplify these problems for device manufacturers and service providers.
“The world will not stop connecting devices to a network, and attackers are getting more and more motivated to attack this expanding target,” he said.