This week saw a public disclosure of a control system security vulnerability at the 2016 Industrial Control Systems (ICS) Cyber Security Conference (the old Joe Weiss conference under new management). Indegy CTO Mille Gandelsman presented a talk, “Ghost in the Machine: SCADA Vulnerability Enables Remote Control of ICS Networks”, about a vulnerability in the Schneider UnityPro software platform. This was a coordinated disclosure with Schneider publishing a Security Notification concerning the vulnerability.
Reading the Indegy blog post about this vulnerability and then looking at the Schneider notification, it almost looks like the two organizations are looking at two separate vulnerabilities. Indegy describes the vulnerability consequences this way:
“The vulnerability in Unity Pro allows any user to remotely execute code directly on any computer on which this product is installed, in debug privileges. The vulnerable software tool is present in every control network in the world that uses Schneider-Electric controllers. Regardless of the SCADA/DCS applications in use, if Schneider Electric controllers are deployed, this software will be used on the engineering workstations. This makes this attack relevant across virtually any process controlled by these PLCs. Since Schneider Electric is one of the largest industrial control equipment providers, this vulnerability is a major concern.”
Schneider simply notes: “This vulnerability is made possible when no application program has been loaded in the simulator or when the application program loaded in the simulator is not password protected.”
Schneider has produced a new version of the software that mitigates the vulnerability. They still note that: “It is up to user responsibility to protect his application by a proper password.”