Connect with us

Hi, what are you looking for?



ICS Networks at Risk Due to Flaw in Schneider PLC Simulator

2016 ICS Cyber Security Conference, Indegy CTO Mille Gandelsman

2016 ICS Cyber Security Conference, Indegy CTO Mille Gandelsman

ICS CYBER SECURITY CONFERENCE – A serious vulnerability affecting one of Schneider Electric’s software platforms can allow malicious actors to remotely execute arbitrary code on engineering workstations via specially crafted project files. Similar flaws could affect products from other vendors and attacks are not easy to detect.

On Tuesday, at SecurityWeek’s 2016 ICS Cyber Security Conference, Indegy CTO Mille Gandelsman disclosed a vulnerability found by the company in Unity Pro, a Windows-based programming, debugging and operating software for Schneider’s programmable logic controllers (PLCs).

Unity Pro, typically deployed on engineering workstations, includes a PLC simulator component that allows users to test applications without the need to connect to the PLC. Before executing code on the PLC itself, x86 instructions can be compiled and loaded into the simulator using .apx files.

According to Indegy, attackers can create large project files and replace certain parts of the code with a malicious payload. The integrity of the .apx file needs to be preserved, but Gandelsman told SecurityWeek that it’s not a difficult task given that the checksum that must be preserved is not based on a cryptographic signature.

“As soon as one is familiar with this mechanism, it’s trivial to perform it for each new file,” Gandelsman explained.

Once the malicious .apx file is created, an attacker can remotely download it to the Unity Pro simulator over a TCP port that is open by default. This is possible due to a feature in the software that allows .apx files to be retrieved from a remote location and executed on the simulator.

The malicious payload is then executed on the engineering workstation running Unity Pro with debug privileges. According to Gandelsman, if they can reprogram industrial controllers, attackers can manipulate critical processes in any way they desire, which could lead even to physical damage.

Advertisement. Scroll to continue reading.

The attack does not require user interaction, but the attacker needs to gain access to the targeted organization’s network as engineering workstations are typically not accessible from the Internet if the control network is designed and configured properly.

Schneider Electric patched the vulnerability earlier this month with the release of Unity Pro version 11.1. The energy management giant has pointed out that the attack described by the security firm only works if no other application is loaded into the simulator or when the loaded app is not password-protected.

Indegy has warned that products from other PLC vendors could be affected by similar vulnerabilities and attacks might not be easy to detect.

Unlike in IT networks, where data-plane and control-plane activities use the same communications protocols, ICS networks often rely on proprietary protocols, such as in the case of Unity Pro.

“Widely known protocols like MODBUS, PROFINET and DNP3, are all data-plane protocols. However, this is not where dangerous manipulations to ICS/SCADA networks and industrial controllers take place,” the industrial cyber security firm explained. “The control-plane activities, which include all engineering and management activities performed on controllers (PLCs, RTUs) are executed over proprietary, vendor specific protocols which are unnamed, undocumented, and unmonitored.”

The security firm has advised organizations not to rely on traditional security products to detect attacks on their ICS network and implement additional controls specifically designed for monitoring activity associated with proprietary protocols.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.