Security Experts:

ICS Networks at Risk Due to Flaw in Schneider PLC Simulator

2016 ICS Cyber Security Conference, Indegy CTO Mille Gandelsman

ICS CYBER SECURITY CONFERENCE – A serious vulnerability affecting one of Schneider Electric’s software platforms can allow malicious actors to remotely execute arbitrary code on engineering workstations via specially crafted project files. Similar flaws could affect products from other vendors and attacks are not easy to detect.

On Tuesday, at SecurityWeek’s 2016 ICS Cyber Security Conference, Indegy CTO Mille Gandelsman disclosed a vulnerability found by the company in Unity Pro, a Windows-based programming, debugging and operating software for Schneider’s programmable logic controllers (PLCs).

Unity Pro, typically deployed on engineering workstations, includes a PLC simulator component that allows users to test applications without the need to connect to the PLC. Before executing code on the PLC itself, x86 instructions can be compiled and loaded into the simulator using .apx files.

According to Indegy, attackers can create large project files and replace certain parts of the code with a malicious payload. The integrity of the .apx file needs to be preserved, but Gandelsman told SecurityWeek that it’s not a difficult task given that the checksum that must be preserved is not based on a cryptographic signature.

“As soon as one is familiar with this mechanism, it's trivial to perform it for each new file,” Gandelsman explained.

Once the malicious .apx file is created, an attacker can remotely download it to the Unity Pro simulator over a TCP port that is open by default. This is possible due to a feature in the software that allows .apx files to be retrieved from a remote location and executed on the simulator.

The malicious payload is then executed on the engineering workstation running Unity Pro with debug privileges. According to Gandelsman, if they can reprogram industrial controllers, attackers can manipulate critical processes in any way they desire, which could lead even to physical damage.

The attack does not require user interaction, but the attacker needs to gain access to the targeted organization’s network as engineering workstations are typically not accessible from the Internet if the control network is designed and configured properly.

Schneider Electric patched the vulnerability earlier this month with the release of Unity Pro version 11.1. The energy management giant has pointed out that the attack described by the security firm only works if no other application is loaded into the simulator or when the loaded app is not password-protected.

Indegy has warned that products from other PLC vendors could be affected by similar vulnerabilities and attacks might not be easy to detect.

Unlike in IT networks, where data-plane and control-plane activities use the same communications protocols, ICS networks often rely on proprietary protocols, such as in the case of Unity Pro.

“Widely known protocols like MODBUS, PROFINET and DNP3, are all data-plane protocols. However, this is not where dangerous manipulations to ICS/SCADA networks and industrial controllers take place,” the industrial cyber security firm explained. “The control-plane activities, which include all engineering and management activities performed on controllers (PLCs, RTUs) are executed over proprietary, vendor specific protocols which are unnamed, undocumented, and unmonitored.”

The security firm has advised organizations not to rely on traditional security products to detect attacks on their ICS network and implement additional controls specifically designed for monitoring activity associated with proprietary protocols.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.