ICS-CERT Publishes Another Schneider Advisory

Today the DHS ICS-CERT published an advisory for an improper authorization vulnerability in the Schneider Electric MiCOM S1 Studio Software. The vulnerability was reported by Michael Toecker of Digital Bond in a coordinated disclosure before Digital Bond’s S-4 Conference and then made a presentation of the vulnerability at the S-4 Conference.

ICS-CERT reports that a highly skilled attacker with network access could exploit this vulnerability to cause the system to run arbitrary code or execute a denial of service attack. Schneider has addressed this vulnerability through a trio of recommended practices which would, according to Schneider, mitigate the vulnerability. Those practices include:

• Standard practices always encourage users to validate the downloaded parameters through the devices’ front panel HMI;

• Schneider Electric recommends users employ best IT practices to secure their computer with authorized user login and password protection;

• On Windows 7 configured computers, use of User Access Control (UAC) can further improve the security of the computer; and

• Users who are not directly using this software on a regular basis are strongly encouraged to delete this application from their computer to reduce the likelihood of attack.

In today’s threat environment these actions hardly seem a prudent method of protecting systems from an insider attack, particularly on systems that are designed to o configure and maintain electronic protective relays