This week saw a public disclosure of a control system
security vulnerability at the 2016 Industrial Control Systems (ICS) Cyber
Security Conference (the old Joe Weiss conference under new management). Indegy
CTO Mille Gandelsman presented a talk, “Ghost in the
Machine: SCADA Vulnerability Enables Remote Control of ICS Networks”, about
a vulnerability in the Schneider UnityPro software platform. This was a
coordinated disclosure with Schneider publishing a Security
Notification concerning the vulnerability.
Reading the Indegy blog
post about this vulnerability and then looking at the Schneider
notification, it almost looks like the two organizations are looking at two
separate vulnerabilities. Indegy describes the vulnerability consequences this
way:
“The vulnerability in Unity Pro
allows any user to remotely execute code directly on any computer on which this
product is installed, in debug privileges. The vulnerable software tool is
present in every control network in the world that uses Schneider-Electric
controllers. Regardless of the SCADA/DCS applications in use, if Schneider
Electric controllers are deployed, this software will be used on the
engineering workstations. This makes this attack relevant across virtually any
process controlled by these PLCs. Since Schneider Electric is one of the
largest industrial control equipment providers, this vulnerability is a major
concern.”
Schneider simply notes: “This vulnerability is made possible
when no application program has been loaded in the simulator or when the
application program loaded in the simulator is not password protected.”
Schneider has produced a new version of the software that
mitigates the vulnerability. They still note that: “It is up to user
responsibility to protect his application by a proper password.”
Posts
No comments:
Post a Comment