Indegy Uncovers a New ICS Security Flaw

Nov. 3, 2016
The discovery of a “remote code execution” vulnerability in Schneider Electric’s Unity Pro software is a wake-up call to the industry that most control systems are not safe.

We live in a world in which we truly must worry about cyber threats, especially when it comes to critical infrastructure and fine-tuned manufacturing operations. Given the sophistication of cyber criminals, and, perhaps more importantly, the lack of inherent security within industrial control systems (ICS), we could be facing a future crisis.

That became crystal clear last week when Indegy Labs, an industrial cyber security firm, announced that it discovered a vulnerability in Schneider Electric’s Unity Pro software, an application for programming and managing industrial controllers. The flaw allows any user to remotely execute code directly on any other computer upon which the software is installed.

The problem resides in a component of Unity Pro called PLC Simulator, used to test industrial controllers’ code prior to executing it on the controllers themselves. The control code projects are compiled as x86 instructions and loaded onto the PLC Simulator using a proprietary format named “apx.”

The vulnerability in the simulator component of Unity Pro enables attackers to natively access industrial controllers and use ‘apx’ to execute malicious code. This troublesome flaw was identified by Indegy as part of its ongoing R&D efforts, the company said.

“What we found, called a remote code execution, means if I have access to a computer in a network I can execute code on any other computer in this network,” said Indegy CTO Mille Gandelsman. “This is far from being trivial.”

What does this mean and why is it so dangerous?

If you think of it in terms of the organization you work in, “you can run a program or execute code on your own computer when connected to a network, and perhaps you can use some of the files on the network, but that doesn’t mean you can execute code on the CEO’s computer,” Gandelsman explained.

That’s because IT networks were designed with cybersecurity in mind. Industrial controllers, however, lack authentication and industrial communication protocols lack encryption.

Unity Pro is used to program PLCs and RTUs in chemical plants, pharmaceutical companies and critical infrastructure. “If anyone can access this [then they] can use that access to reprogram an industrial controller,” Gandelsman said. In other words, someone can do anything to the industrial controllers—by design—and it is not a hack or an exploit.

Indegy brought this discovery to Schneider Electric months ago. Since then, the automation and energy management supplier issued a security notification stating that “Schneider Electric has become aware of a vulnerability in the Unity Pro software product,” and, the company said, the issue has been addressed in the latest version of its software.

While Indegy is unaware of this particular flaw being exploited, it serves as proof that manufacturers and suppliers need to take steps to prevent the inevitable. That means finding new ways to monitor and manage control systems and industrial networks.

“One of the things I think this highlights is the lack of visibility in industrial control networks in general,” Gandelsman said.

About the Author

Stephanie Neil | Editor-in-Chief, OEM Magazine

Stephanie Neil has been reporting on business and technology for over 25 years and was named Editor-in-Chief of OEM magazine in 2018. She began her journalism career as a beat reporter for eWeek, a technology newspaper, later joining Managing Automation, a monthly B2B manufacturing magazine, as senior editor. During that time, Neil was also a correspondent for The Boston Globe, covering local news. She joined PMMI Media Group in 2015 as a senior editor for Automation World and continues to write for both AW and OEM, covering manufacturing news, technology trends, and workforce issues.

Sponsored Recommendations

Measurement instrumentation for improving hydrogen storage and transport

Hydrogen provides a decarbonization opportunity. Learn more about maximizing the potential of hydrogen.

Learn About: Micro Motion™ 4700 Config I/O Coriolis Transmitter

An Advanced Transmitter that Expands Connectivity

Learn about: Micro Motion G-Series Coriolis Flow and Density Meters

The Micro Motion G-Series is designed to help you access the benefits of Coriolis technology even when available space is limited.

Micro Motion 4700 Coriolis Configurable Inputs and Outputs Transmitter

The Micro Motion 4700 Coriolis Transmitter offers a compact C1D1 (Zone 1) housing. Bluetooth and Smart Meter Verification are available.