Menu
Workstation software flaw exposes industrial control systems to hacking

Workstation software flaw exposes industrial control systems to hacking

Attackers can send malicious code to industrial engineering software to take over workstations used to program and control PLCs

The software used to program and deploy code to various Schneider Electric industrial controllers has a weakness that could allow hackers to remotely take over engineering workstations.

The software, known as Unity Pro, runs on PCs used by engineers and includes a simulator for testing code before deploying it to programmable logic controllers (PLCs). These are the specialized hardware devices that monitor and control mechanical processes -- spinning motors, opening and closing valves, etc. -- inside factories, power stations, gas refineries, public utilities and other industrial installations.

Researchers from industrial cybersecurity firm Indegy found that unauthenticated attackers could execute malicious code on Windows computers where the Unity Pro PLC simulator is installed. That code would run with debug privileges leading to a complete system compromise.

Since Unity Pro is typically installed on engineering workstations, a compromise of those systems would provide attackers with the ability to reprogram in-production PLCs and interfere with critical processes. Furthermore, they could provide them with access to intellectual property such as secret recipes for products that are being manufactured and which can be derived from the legitimate programs deployed to PLCs.

According to the Indegy researchers, the Unity Pro PLC simulator opens a network service on workstations that listens on a specific TCP port and allows remote computers to send control code packaged in a proprietary format to the simulator.

Any computer that can communicate with the engineering workstation over the network can send .apx files to be executed by the Unity Pro PLC simulator without authentication. The simulator supports binary formats for different Schneider Electric PLCs, including for those using the x86 architecture.

The Indegy researchers found that they can craft an .apx file that contains malicious x86 instructions and which the Unity Pro software will execute in a child process.

The problem is that this process runs with debug privileges on Windows so you can do anything you want to the machine, said Mille Gandelsman, CTO of Indegy. Breaking out of this process is trivial because there is no sandbox or code isolation, he said.

Because of their privileged position, engineering workstations are what Gandelsman calls the crown jewels of industrial control networks. Even if there are firewalls separating PLCs from the rest of the network, engineering workstations will always be whitelisted and will be able to communicate with them because that's their role.

According to a Schneider Electric security advisory regarding this issue, there are is at least one limiting factor: the attack will only work if there's no other application program running inside the PLC simulator or if that application is not password protected.

Because of this, the newly released Unity Pro version 11.1 will not allow the simulator to be launched without an associated application. However, "it is up to the user to select the Unity PRO default application to be launched by the simulator, and to protect this application program by a password," the company said in the advisory.

Schneider Electric did not immediately respond to a request for comment.

Another limiting factor is that a potential attacker already needs to have access to a computer on the network that can communicate with the Unity Pro engineering workstation in the first place.

Access to such a computer can be obtained in a number of ways, including through malware attacks, other vulnerabilities and even malicious insiders. However, this vulnerability highlights the importance of proper network segmentation, where industrial control assets, including engineering workstations, are isolated from a company's general IT network.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments