Today the DHS ICS-CERT published a control system security advisory for a product from Schneider Electric and updated another for a product from GE.
This advisory describes a credentials management vulnerability in the Schneider Electric Wonderware Historian. The vulnerability was reported by Ruslan Habalov and Jan Bee of the Google ISA Assessments Team. Schneider has provided work around instructions to mitigate the vulnerability. There is no indication that the researchers have been provided the opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to compromise Historian databases.
This update provides additional information on the security advisory covering the GE GE Proficy Human-Machine Interface/Supervisory Control and Data Acquisition (HMI/SCADA) iFIX, Proficy HMI/SCADA CIMPLICITY, and Proficy Historian software. That advisory was originally published on January 17th, 2017. The update provides a link to the GE Product Security Advisory for the vulnerability. That GE document provides workaround data that can be used if upgrading is not a timely or workable alternative.