A major security vulnerability affecting one of the world’s largest
manufacturers of computerized industrial control systems, Schneider
Electric, has recently been identified, according to a leading
cybersecurity firm.
Researchers at the Israel-based Indegy Corporation
Tuesday publicly announced their identification of the security hole
and details of how it could have been exploited. The security threat has
since been filled by engineers at Schneider Electric.
"This vulnerability is unique for Schneider Electric systems," said
Mille Gandelsman, Indegy’s Chief Technology Officer and co-founder.
"Vulnerabilities traditionally are found around executable codes that
the attacker builds without having permission to do so, and that’s
exactly what we found," he said.
Industrial control systems, such as the type that Schneider Electric
manufactures, are used in nearly every modern automated factory or
processing plant.
"Everything from the manufacture of soda drinks and pharmaceuticals to
electricity generation or oil and gas transfer," said Gandelsman.
Unlike IT systems that protect a computer or mobile device’s software,
ICS networks were built largely by mechanical engineers to monitor and
control actual physical things, such as temperature gauges, pressure
flow valves, or containment chambers.
Headline grabbers
Because of the potential for catastrophic damage, some hackers have long
targeted ICS networks in hopes of grabbing headlines. Just last month,
an anonymous hacker detailed a successful hack of a Schneider Electric system that controls building heating and cooling systems.
These systems, as Indegy’s CEO Barak Perelman previously told VOA,
can last for decades and were created long before cybersecurity was
even a concept. “Practices like authentication, logging in with
passwords, it doesn’t even exist…” in many ICS networks, Perelman said.
These industrial control systems often are hard to find, and more
difficult to log in to, via another computer operating at a remote site
than standard desktop-type computer systems more familiar in the home or
office. But once inside, gaping security holes such as the type
discovered by Indegy can give hackers the potential ability to destroy
machinery, create widespread havoc, and even take lives by altering the
physical industrial automation systems.
"Engineering stations were targeted; that’s where the various control
parameters for the industrial systems can be changed," Gandelsman told
VOA. "It was these workstations with specialized software [called Unity
Pro] that communicate with the controllers that were made totally
vulnerable…" by this recently discovered security flaw.
"That means that every system that uses this specific software for
Schneider Electric systems would be vulnerable,” he said, entailing
everything from the manufacture of yogurt and automobile parts to the
control of urban sewage treatment and storage of highly toxic chemicals.
"In a very real, physical sense, a cyberattack [in this situation]
could create enormous damage."
No comment
Neither Indegy nor Schneider Electric will say whether any of its
systems had been hacked prior to the recent release of a software patch.
But Gandelsman said it’s clear that other such vulnerabilities may
currently exist with Schneider products, or those of other ICS vendors,
like Siemens, Rockwell or others.
"These systems… are the crown jewels of industrial production," he
cautioned. "Once you have access to these systems, you can do anything
you want."
"Some of these control companies are very cybersecurity aware and
doing their best to avoid, or at least fix, vulnerabilities," Gandelsman
told VOA. "Unfortunately other vendors are not aware of the risks.
These are systems that can be around for decades, so these things
unfortunately continue to exist all around the world."
No comments:
Post a Comment