Schneider Electric Software Flaws Leave Critical Infrastructure Vulnerable

‘Critical vulnerabilities’ have been uncovered in a number of software tools used by Schneider Electrics, that could result in cyber-attacks on industrial control systems.

This is according to research from Tenable Security, which found the zero-day exploit in critical infrastructure software.

It comes amid growing recognition by authorities of the need to safeguard critical infrastructure such as power stations, water treatment facilities, manufacturing etc from cyber exploitation by hostile nations.

Tool vulnerabilities

Tenable researchers details their findings about the vulnerabilities with the Schneider Electrics tools, in a blog post.

“Tenable Research recently discovered a new remote code execution vulnerability in Schneider Electric’s InduSoft Web Studio and InTouch Machine Edition,” the researchers wrote. “The applications contain an overflow condition that is triggered when input is not properly validated. This allows an attacker to force a stack-based buffer overflow, resulting in denial of service or potentially allowing the execution of arbitrary code.”

InduSoft Web Studio is a suite of tools that provides automated building blocks to develop human-machine interfaces (HMIs), Supervisory Control And Data Acquisition (SCADA) systems and embedded instrumentation solutions.

The InTouch Machine Edition software toolset can be used to develop applications to develop interfaces for web browsers, smartphones and tablets.

The concern is that if nation-state attackers or third party hackers exploited these flaws, they could completely cripple power plants by moving laterally throughout the network and exposing multiple systems to attack.

“A threat actor can use the compromised machine to laterally transfer within the victims network and to execute further attacks. Additionally, connected HMI clients and OT devices can be exposed to attack,” Tenable wrote.

“Given the widespread prevalence and market share of the affected software in the OT space, and the fact that it is frequently deployed in sensitive industries, Schneider and Tenable consider this a critical vulnerability requiring urgent attention and response from affected end users,” the firm concluded.

The good news is that Schneider has since patched these flaws.

Network access

But at least one expert has said that the flaws may not be as bad as they first seem.

“If you’re going after the human machine interfaces (HMIs) – the middleware between the human and the control system – here’s the rut: you still have to gain access to the system network to do that,” said Bryan Singer, Director of Industrial Cybersecurity Services at IOActive.

“This vulnerability is almost meaningless,” he said. “The only thing this vulnerability might do is speed the process up a little bit if malicious actors are already on the network. If they’re on the network, they can already read the network traffic to manipulate network protocols, without using a vulnerability at all. All the industrial vendors are going to share similar types of weaknesses. There’s no point in calling one industrial company out over the other.”

Yet there is no doubt that attacks on critical infrastructure is a growing worry for governments around the world.

Earlier this year the British Governmenturged critical industries to do more to protect themselves from the growing threat of cyber attacks.

It appointed sector-specific regulators to ensure that essential services are protected, and warned organisations that they risk fines of up to £17 million if they do not have effective cyber security measures in place.

Last year the US government warned of ongoing cyber attacks against critical industries such as energy, nuclear and manufacturing, some of which had been successful.

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Gloucester City Council Confirms ‘Cyber Incident’

Council IT services hit by so called 'sleeper' malware, with media reports pointing the finger…

8 hours ago

Gigabyte Broadband Pledge At Risk, Warns Spending Watchdog

UK pledge to close the digital divide of broadband services for urban and rural customers…

10 hours ago

UK To Address Marketing Of High Risk Crypto Investments

British financial watchdog says it will curb the marketing of cryptoassets and other high-risk investments,…

12 hours ago

Tesla Driver Charged With Manslaughter After Autopilot Crash

Criminal charges for the first time in fatal crash involving Tesla's Autopilot, as driver is…

14 hours ago

Airport 5G Towers Switched Off In Temporary Aviation Compromise

AT&T and Verizon agree to temporarily switch off 5G towers near certain airports, as operators…

15 hours ago