Indegy Uncovers a New ICS Security Flaw

The discovery of a “remote code execution” vulnerability in Schneider Electric’s Unity Pro software is a wake-up call to the industry that most control systems are not safe.

Indegy Uncovers a New ICS Security Flaw
Indegy Uncovers a New ICS Security Flaw

We live in a world in which we truly must worry about cyber threats, especially when it comes to critical infrastructure and fine-tuned manufacturing operations. Given the sophistication of cyber criminals, and, perhaps more importantly, the lack of inherent security within industrial control systems (ICS), we could be facing a future crisis.

That became crystal clear last week when Indegy Labs, an industrial cyber security firm, announced that it discovered a vulnerability in Schneider Electric’s Unity Pro software, an application for programming and managing industrial controllers. The flaw allows any user to remotely execute code directly on any other computer upon which the software is installed.

The problem resides in a component of Unity Pro called PLC Simulator, used to test industrial controllers’ code prior to executing it on the controllers themselves. The control code projects are compiled as x86 instructions and loaded onto the PLC Simulator using a proprietary format named “apx.”

The vulnerability in the simulator component of Unity Pro enables attackers to natively access industrial controllers and use ‘apx’ to execute malicious code. This troublesome flaw was identified by Indegy as part of its ongoing R&D efforts, the company said.

“What we found, called a remote code execution, means if I have access to a computer in a network I can execute code on any other computer in this network,” said Indegy CTO Mille Gandelsman. “This is far from being trivial.”

What does this mean and why is it so dangerous?

If you think of it in terms of the organization you work in, “you can run a program or execute code on your own computer when connected to a network, and perhaps you can use some of the files on the network, but that doesn’t mean you can execute code on the CEO’s computer,” Gandelsman explained.

That’s because IT networks were designed with cybersecurity in mind. Industrial controllers, however, lack authentication and industrial communication protocols lack encryption.

Unity Pro is used to program PLCs and RTUs in chemical plants, pharmaceutical companies and critical infrastructure. “If anyone can access this [then they] can use that access to reprogram an industrial controller,” Gandelsman said. In other words, someone can do anything to the industrial controllers—by design—and it is not a hack or an exploit.

Indegy brought this discovery to Schneider Electric months ago. Since then, the automation and energy management supplier issued a security notification stating that “Schneider Electric has become aware of a vulnerability in the Unity Pro software product,” and, the company said, the issue has been addressed in the latest version of its software.

While Indegy is unaware of this particular flaw being exploited, it serves as proof that manufacturers and suppliers need to take steps to prevent the inevitable. That means finding new ways to monitor and manage control systems and industrial networks.

“One of the things I think this highlights is the lack of visibility in industrial control networks in general,” Gandelsman said.

Companies in this article
More in Control