Indegy Uncovers a New ICS Security Flaw

Nov. 3, 2016
The discovery of a “remote code execution” vulnerability in Schneider Electric’s Unity Pro software is a wake-up call to the industry that most control systems are not safe.

We live in a world in which we truly must worry about cyber threats, especially when it comes to critical infrastructure and fine-tuned manufacturing operations. Given the sophistication of cyber criminals, and, perhaps more importantly, the lack of inherent security within industrial control systems (ICS), we could be facing a future crisis.

That became crystal clear last week when Indegy Labs, an industrial cyber security firm, announced that it discovered a vulnerability in Schneider Electric’s Unity Pro software, an application for programming and managing industrial controllers. The flaw allows any user to remotely execute code directly on any other computer upon which the software is installed.

The problem resides in a component of Unity Pro called PLC Simulator, used to test industrial controllers’ code prior to executing it on the controllers themselves. The control code projects are compiled as x86 instructions and loaded onto the PLC Simulator using a proprietary format named “apx.”

The vulnerability in the simulator component of Unity Pro enables attackers to natively access industrial controllers and use ‘apx’ to execute malicious code. This troublesome flaw was identified by Indegy as part of its ongoing R&D efforts, the company said.

“What we found, called a remote code execution, means if I have access to a computer in a network I can execute code on any other computer in this network,” said Indegy CTO Mille Gandelsman. “This is far from being trivial.”

What does this mean and why is it so dangerous?

If you think of it in terms of the organization you work in, “you can run a program or execute code on your own computer when connected to a network, and perhaps you can use some of the files on the network, but that doesn’t mean you can execute code on the CEO’s computer,” Gandelsman explained.

That’s because IT networks were designed with cybersecurity in mind. Industrial controllers, however, lack authentication and industrial communication protocols lack encryption.

Unity Pro is used to program PLCs and RTUs in chemical plants, pharmaceutical companies and critical infrastructure. “If anyone can access this [then they] can use that access to reprogram an industrial controller,” Gandelsman said. In other words, someone can do anything to the industrial controllers—by design—and it is not a hack or an exploit.

Indegy brought this discovery to Schneider Electric months ago. Since then, the automation and energy management supplier issued a security notification stating that “Schneider Electric has become aware of a vulnerability in the Unity Pro software product,” and, the company said, the issue has been addressed in the latest version of its software.

While Indegy is unaware of this particular flaw being exploited, it serves as proof that manufacturers and suppliers need to take steps to prevent the inevitable. That means finding new ways to monitor and manage control systems and industrial networks.

“One of the things I think this highlights is the lack of visibility in industrial control networks in general,” Gandelsman said.

About the Author

Stephanie Neil | Editor-in-Chief, OEM Magazine

Stephanie Neil has been reporting on business and technology for over 25 years and was named Editor-in-Chief of OEM magazine in 2018. She began her journalism career as a beat reporter for eWeek, a technology newspaper, later joining Managing Automation, a monthly B2B manufacturing magazine, as senior editor. During that time, Neil was also a correspondent for The Boston Globe, covering local news. She joined PMMI Media Group in 2015 as a senior editor for Automation World and continues to write for both AW and OEM, covering manufacturing news, technology trends, and workforce issues.

Sponsored Recommendations

Why Go Beyond Traditional HMI/SCADA

Traditional HMI/SCADAs are being reinvented with today's growing dependence on mobile technology. Discover how AVEVA is implementing this software into your everyday devices to...

4 Reasons to move to a subscription model for your HMI/SCADA

Software-as-a-service (SaaS) gives you the technical and financial ability to respond to the changing market and provides efficient control across your entire enterprise—not just...

Is your HMI stuck in the stone age?

What happens when you adopt modern HMI solutions? Learn more about the future of operations control with these six modern HMI must-haves to help you turbocharge operator efficiency...