Early April, Schneider Electric has released several updates and patches fixing vulnerabilities in the software used for creating SCADA and HMI systems at nuclear power plants, chemical plants and other critical units.
The vulnerabilities which even a novice attacker could exploit were found in InduSoft Web Studio 126.96.36.199, InTouch Machine Edition 2014 188.8.131.52 as well as previous versions of these products. Among bugs fixed — arbitrary code execution and non-encrypted storage/transfer of sensitive data. The vendor recommends downloading the new patches as soon as possible.
Ilya Karpov and Kirill Nesterov, Positive Technologies researchers, detected the vulnerabilities during an ICS security analysis. Meanwhile, many bugs in those products were independently revealed by the participants of the Critical Infrastructure Attack contest held in May 2014 at the international infosec conference Positive Hack Days IV.
Schneider Electric thanked the contest winner, Alisa Shevchenko (Esage Lab), for the vulnerabilities she identified.
The first PHDays contest in analyzing ICS security was held in 2013 when security experts at Positive Technologies laboratory developed a railway model, whose components (trains, railroad crossing gates, and cranes) were controlled by an ICS based on three real SCADA systems and three industrial controllers.
In 2014, the contest infrastructure was significantly changed to allow detection of zero-day vulnerabilities within a wider range of systems and industrial protocols including: transport, city lighting system, power plants and various robots.
In the competition scenario, SCADA systems and controllers are used at critical installations within various industries. If exploited in a real life situation, these vulnerabilities could have very serious consequences. According to the responsible disclosure policy, Critical Infrastructure Attack contestants must notify respective vendors about vulnerabilities they detected. Details about the vulnerabilities are available upon the fixes being disclosed by the vendor.
The next ICS security analysis contest will be held at Positive Hack Days V on May 26—27 in Moscow. You can find the details at phdays.com.