Menu
Schneider Electric PLC simulator flaw exposes workstations to hacking

Schneider Electric PLC simulator flaw exposes workstations to hacking

Attackers can send malicious code to industrial engineering software to take over workstations used to program and control PLCs

The software used to program and deploy code to various Schneider Electric industrial controllers has a weakness that could allow hackers to remotely take over engineering workstations.

The software, known as Unity Pro, runs on PCs used by engineers and includes a simulator for testing code before deploying it to programmable logic controllers (PLCs). These are the specialized hardware devices that monitor and control mechanical processes -- spinning motors, opening and closing valves, etc. -- inside factories, power stations, gas refineries, public utilities and other industrial installations.

Researchers from industrial cybersecurity firm Indegy found that unauthenticated attackers could execute malicious code on Windows computers where the Unity Pro PLC simulator is installed. That code would run with debug privileges leading to a complete system compromise.

Since Unity Pro is typically installed on engineering workstations, a compromise of those systems would provide attackers with the ability to reprogram in-production PLCs and interfere with critical processes. Furthermore, they could provide them with access to intellectual property such as secret recipes for products that are being manufactured and which can be derived from the legitimate programs deployed to PLCs.

According to the Indegy researchers, the Unity Pro PLC simulator opens a network service on workstations that listens on a specific TCP port and allows remote computers to send control code packaged in a proprietary format to the simulator.

Any computer that can communicate with the engineering workstation over the network can send .apx files to be executed by the Unity Pro PLC simulator without authentication. The simulator supports binary formats for different Schneider Electric PLCs, including for those using the x86 architecture.

The Indegy researchers found that they can craft an .apx file that contains malicious x86 instructions and which the Unity Pro software will execute in a child process.

The problem is that this process runs with debug privileges on Windows so you can do anything you want to the machine, said Mille Gandelsman, CTO of Indegy. Breaking out of this process is trivial because there is no sandbox or code isolation, he said.

Because of their privileged position, engineering workstations are what Gandelsman calls the crown jewels of industrial control networks. Even if there are firewalls separating PLCs from the rest of the network, engineering workstations will always be whitelisted and will be able to communicate with them because that's their role.

According to a Schneider Electric security advisory regarding this issue, there are is at least one limiting factor: the attack will only work if there's no other application program running inside the PLC simulator or if that application is not password protected.

Because of this, the newly released Unity Pro version 11.1 will not allow the simulator to be launched without an associated application. However, "it is up to the user to select the Unity PRO default application to be launched by the simulator, and to protect this application program by a password," the company said in the advisory.

Schneider Electric did not immediately respond to a request for comment.

Another limiting factor is that a potential attacker already needs to have access to a computer on the network that can communicate with the Unity Pro engineering workstation in the first place.

Access to such a computer can be obtained in a number of ways, including through malware attacks, other vulnerabilities and even malicious insiders. However, this vulnerability highlights the importance of proper network segmentation, where industrial control assets, including engineering workstations, are isolated from a company's general IT network.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Examining the changing job scene in the Kiwi channel

Examining the changing job scene in the Kiwi channel

Typically, the New Year brings new opportunities for personnel within the Kiwi channel. 2017 started no differently, with a host of appointments, departures and reshuffles across vendor, distributor and reseller businesses. As a result, the job scene across New Zealand has changed - here’s a run down of who is working where in the year ahead…

Examining the changing job scene in the Kiwi channel
​What are the top 10 tech trends for New Zealand in 2017?

​What are the top 10 tech trends for New Zealand in 2017?

Digital Transformation (DX) has been a critical topic for business over the last few years and IDC is now predicting a step change as DX reaches macroeconomic levels. By 2020 a DX economy will emerge and it will become the core of what New Zealand industries focus on. From the board level through to the C-Suite, Kiwi organisations must be prepared to think and act digital when the DX economy emerges in 2017.

​What are the top 10 tech trends for New Zealand in 2017?
Show Comments