A vulnerability in Schneider Electric’s industrial controller management software created a possible mechanism for hackers to plant malicious code on industrial networks.
Industrial cybersecurity firm Indegy discovered the recently resolved flaw in Schneider Electric’s flagship industrial controller management software, Unity Pro. “The vulnerability in Unity Pro allows any user to remotely execute code directly on any computer on which this product is installed, in debug privileges,” Indegy warned in an advisory.
In a statement issued to El Reg, Schneider Electric said the flaw had been addressed in the latest version of its software. The firm is pushing out an alert [pdf] to customers explaining how to guard against the threat, either through updates or by following its mitigating advice.
Schneider Electric has become aware of a vulnerability in the Unity PRO Software prior to V11.1. We issued a Security Notification that shares mitigation recommendations. This vulnerability is made possible when no application program has been loaded in the simulator, or when the application program loaded in the simulator is not password protected.
David Zahn, general manager at PAS, Inc, a provider of industrial control systems cybersecurity technology, added that further flaws along the lines of the one successfully resolved by Schneider are inevitable because industrial control technology was never designed with security in mind.
“It is good that cybersecurity companies are disclosing these vulnerabilities and following good ethical disclosure practices, but no one should be surprised that such vulnerabilities exist,” Zahn said. “This is tip of the iceberg stuff as most control systems in the field today were designed without cybersecurity as even a consideration.”
He added: “It is common to see control systems that are 15, 20, and 25 years old in a production environment. They rely on air gapping, complexity, and other factors to protect them, but nothing specific to cybersecurity was inherently built within them."
The flaw was discovered six months ago before; Schneider Electric was privately notified to allow it to investigate and remedy the problem. Indegy went public with its research this week at the 2016 Industrial Control Systems Cyber Security Conference at Atlanta, USA.
Mike Ahmadi, global director of critical systems security at Synopsys, added: "Security issues in control systems are widespread and continue to grow in numbers as researchers focus on uncovering them.” ®