Schneider Electric Software Flaws Leave Critical Infrastructure Vulnerable

‘Critical vulnerabilities’ have been uncovered in a number of software tools used by Schneider Electrics, that could result in cyber-attacks on industrial control systems.

This is according to research from Tenable Security, which found the zero-day exploit in critical infrastructure software.

It comes amid growing recognition by authorities of the need to safeguard critical infrastructure such as power stations, water treatment facilities, manufacturing etc from cyber exploitation by hostile nations.

Tool vulnerabilities

Tenable researchers details their findings about the vulnerabilities with the Schneider Electrics tools, in a blog post.

“Tenable Research recently discovered a new remote code execution vulnerability in Schneider Electric’s InduSoft Web Studio and InTouch Machine Edition,” the researchers wrote. “The applications contain an overflow condition that is triggered when input is not properly validated. This allows an attacker to force a stack-based buffer overflow, resulting in denial of service or potentially allowing the execution of arbitrary code.”

InduSoft Web Studio is a suite of tools that provides automated building blocks to develop human-machine interfaces (HMIs), Supervisory Control And Data Acquisition (SCADA) systems and embedded instrumentation solutions.

The InTouch Machine Edition software toolset can be used to develop applications to develop interfaces for web browsers, smartphones and tablets.

The concern is that if nation-state attackers or third party hackers exploited these flaws, they could completely cripple power plants by moving laterally throughout the network and exposing multiple systems to attack.

“A threat actor can use the compromised machine to laterally transfer within the victims network and to execute further attacks. Additionally, connected HMI clients and OT devices can be exposed to attack,” Tenable wrote.

“Given the widespread prevalence and market share of the affected software in the OT space, and the fact that it is frequently deployed in sensitive industries, Schneider and Tenable consider this a critical vulnerability requiring urgent attention and response from affected end users,” the firm concluded.

The good news is that Schneider has since patched these flaws.

Network access

But at least one expert has said that the flaws may not be as bad as they first seem.

“If you’re going after the human machine interfaces (HMIs) – the middleware between the human and the control system – here’s the rut: you still have to gain access to the system network to do that,” said Bryan Singer, Director of Industrial Cybersecurity Services at IOActive.

“This vulnerability is almost meaningless,” he said. “The only thing this vulnerability might do is speed the process up a little bit if malicious actors are already on the network. If they’re on the network, they can already read the network traffic to manipulate network protocols, without using a vulnerability at all. All the industrial vendors are going to share similar types of weaknesses. There’s no point in calling one industrial company out over the other.”

Yet there is no doubt that attacks on critical infrastructure is a growing worry for governments around the world.

Earlier this year the British Governmenturged critical industries to do more to protect themselves from the growing threat of cyber attacks.

It appointed sector-specific regulators to ensure that essential services are protected, and warned organisations that they risk fines of up to £17 million if they do not have effective cyber security measures in place.

Last year the US government warned of ongoing cyber attacks against critical industries such as energy, nuclear and manufacturing, some of which had been successful.

Do you know all about security? Try our quiz!