After Russia warning, hole found in leading industrial-control software
On March 16, the U.S. Department of Homeland Security and the British National Cyber Security Centre warned critical-infrastructure facilities controlling electricity, water, and oil and gas operations about potential computer attacks from Russia.
“In multiple instances, the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities,” the DHS said in a joint statement with the FBI.
Weeks later, as if on cue, a maker of prominent industrial-control software acknowledged a potentially critical vulnerability in two of its products.
The vulnerability, discovered by security company Tenable Research on January 18, affects the 8.1 versions of Schneider Electric’s InduSoft Web Studio and InTouch Machine Edition, Windows software that companies as diverse as those specializing in irrigation control, nuclear-material containment, energy management, and beverage bottling use to monitor and control their SCADA and operational-technology machinery.
Tom Parsons, head of Tenable’s Ireland-based research office, says Tenable researchers worked with Schneider to issue a patch to its customers on April 6. At this point, however, Tenable isn’t sure of how many companies running the affected systems have installed it. Nor does it know how many systems running the affected software remain unpatched.
Although patches are often difficult to install on complex systems like those that control industrial machinery, Parsons says this is one that shouldn’t be ignored: A successful hack could lead to manipulation or damage of a target company’s machinery, as well as hacks throughout its computer network.
“The physical devices at the plant, whether it’s an oil rig, pipeline, or a commercial wind farm, can be compromised to give you the wrong readings,” Parsons tells The Parallax. “There are consequences from a commercial, as well as safety, perspective.”
Schneider, a global leader in systems that monitor and control energy management machinery, with a market cap of $48 billion, did not respond to requests for comment.
The vulnerability Tenable found in Schneider’s products is a stack-based buffer overflow, where characters are entered into a text field beyond the field’s ability to process them properly. It’s a very common, “old-school vulnerability,” says Bryson Bort, founder of the cybersecurity consultancies Grimm and Scythe, and co-founder of the nonprofit ICS Village. “It’s programming 101.”
Tom VanNorman, a founding member of the ICS Village, says these kinds of basic programming errors slip through in testing and can become massive headaches to fix, once the software is in use.
“In Windows 10, or on your [Internet] cameras or IT [information technology] network, you’re going to push out that patch as fast as you can,” he says. “But historically, these OT [operational technology] networks aren’t patched at the rate that IT networks are patched. If they find a vulnerability today, it might still be there unpatched six months from now.”
VanNorman says that while companies should heed the Homeland Security warning, they should be working diligently to prevent attempted hacks, and apply patches, no matter which party might be sending malicious data packets.
“I’m going to protect my networks the same way, whether it’s from a Russian packet or Chinese packet or kid in New Jersey’s packet,” he says.
While Bort couldn’t comment on the likelihood of an attack that takes advantage of the Schneider software vulnerability from Russia or another nation-state actor, he did say the kind of vulnerability Tenable found would look appealing to hackers.
“If I were them, this is something I would use,” he says.