Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

ICS Networks at Risk Due to Flaw in Schneider PLC Simulator

2016 ICS Cyber Security Conference, Indegy CTO Mille Gandelsman

2016 ICS Cyber Security Conference, Indegy CTO Mille Gandelsman

ICS CYBER SECURITY CONFERENCE – A serious vulnerability affecting one of Schneider Electric’s software platforms can allow malicious actors to remotely execute arbitrary code on engineering workstations via specially crafted project files. Similar flaws could affect products from other vendors and attacks are not easy to detect.

On Tuesday, at SecurityWeek’s 2016 ICS Cyber Security Conference, Indegy CTO Mille Gandelsman disclosed a vulnerability found by the company in Unity Pro, a Windows-based programming, debugging and operating software for Schneider’s programmable logic controllers (PLCs).

Unity Pro, typically deployed on engineering workstations, includes a PLC simulator component that allows users to test applications without the need to connect to the PLC. Before executing code on the PLC itself, x86 instructions can be compiled and loaded into the simulator using .apx files.

According to Indegy, attackers can create large project files and replace certain parts of the code with a malicious payload. The integrity of the .apx file needs to be preserved, but Gandelsman told SecurityWeek that it’s not a difficult task given that the checksum that must be preserved is not based on a cryptographic signature.

“As soon as one is familiar with this mechanism, it’s trivial to perform it for each new file,” Gandelsman explained.

Once the malicious .apx file is created, an attacker can remotely download it to the Unity Pro simulator over a TCP port that is open by default. This is possible due to a feature in the software that allows .apx files to be retrieved from a remote location and executed on the simulator.

The malicious payload is then executed on the engineering workstation running Unity Pro with debug privileges. According to Gandelsman, if they can reprogram industrial controllers, attackers can manipulate critical processes in any way they desire, which could lead even to physical damage.

The attack does not require user interaction, but the attacker needs to gain access to the targeted organization’s network as engineering workstations are typically not accessible from the Internet if the control network is designed and configured properly.

Advertisement. Scroll to continue reading.

Schneider Electric patched the vulnerability earlier this month with the release of Unity Pro version 11.1. The energy management giant has pointed out that the attack described by the security firm only works if no other application is loaded into the simulator or when the loaded app is not password-protected.

Indegy has warned that products from other PLC vendors could be affected by similar vulnerabilities and attacks might not be easy to detect.

Unlike in IT networks, where data-plane and control-plane activities use the same communications protocols, ICS networks often rely on proprietary protocols, such as in the case of Unity Pro.

“Widely known protocols like MODBUS, PROFINET and DNP3, are all data-plane protocols. However, this is not where dangerous manipulations to ICS/SCADA networks and industrial controllers take place,” the industrial cyber security firm explained. “The control-plane activities, which include all engineering and management activities performed on controllers (PLCs, RTUs) are executed over proprietary, vendor specific protocols which are unnamed, undocumented, and unmonitored.”

The security firm has advised organizations not to rely on traditional security products to detect attacks on their ICS network and implement additional controls specifically designed for monitoring activity associated with proprietary protocols.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.