A major security vulnerability affecting one of the world’s largest manufacturers of computerized industrial control systems, Schneider Electric, has recently been identified, according to a leading cybersecurity firm.
Researchers at the Israel-based Indegy Corporation Tuesday publicly announced their identification of the security hole and details of how it could have been exploited. The security threat has since been filled by engineers at Schneider Electric.
"This vulnerability is unique for Schneider Electric systems," said Mille Gandelsman, Indegy’s Chief Technology Officer and co-founder. "Vulnerabilities traditionally are found around executable codes that the attacker builds without having permission to do so, and that’s exactly what we found," he said.
Industrial control systems, such as the type that Schneider Electric manufactures, are used in nearly every modern automated factory or processing plant.
"Everything from the manufacture of soda drinks and pharmaceuticals to electricity generation or oil and gas transfer," said Gandelsman.
Unlike IT systems that protect a computer or mobile device’s software, ICS networks were built largely by mechanical engineers to monitor and control actual physical things, such as temperature gauges, pressure flow valves, or containment chambers.
Because of the potential for catastrophic damage, some hackers have long targeted ICS networks in hopes of grabbing headlines. Just last month, an anonymous hacker detailed a successful hack of a Schneider Electric system that controls building heating and cooling systems.
These systems, as Indegy’s CEO Barak Perelman previously told VOA, can last for decades and were created long before cybersecurity was even a concept. “Practices like authentication, logging in with passwords, it doesn’t even exist…” in many ICS networks, Perelman said.
These industrial control systems often are hard to find, and more difficult to log in to, via another computer operating at a remote site than standard desktop-type computer systems more familiar in the home or office. But once inside, gaping security holes such as the type discovered by Indegy can give hackers the potential ability to destroy machinery, create widespread havoc, and even take lives by altering the physical industrial automation systems.
"Engineering stations were targeted; that’s where the various control parameters for the industrial systems can be changed," Gandelsman told VOA. "It was these workstations with specialized software [called Unity Pro] that communicate with the controllers that were made totally vulnerable…" by this recently discovered security flaw.
"That means that every system that uses this specific software for Schneider Electric systems would be vulnerable,” he said, entailing everything from the manufacture of yogurt and automobile parts to the control of urban sewage treatment and storage of highly toxic chemicals. "In a very real, physical sense, a cyberattack [in this situation] could create enormous damage."
Neither Indegy nor Schneider Electric will say whether any of its systems had been hacked prior to the recent release of a software patch.
But Gandelsman said it’s clear that other such vulnerabilities may currently exist with Schneider products, or those of other ICS vendors, like Siemens, Rockwell or others.
"These systems… are the crown jewels of industrial production," he cautioned. "Once you have access to these systems, you can do anything you want."
"Some of these control companies are very cybersecurity aware and doing their best to avoid, or at least fix, vulnerabilities," Gandelsman told VOA. "Unfortunately other vendors are not aware of the risks. These are systems that can be around for decades, so these things unfortunately continue to exist all around the world."