Security experts are urging IT teams to patch a critical remote code execution bug in one of the world’s most popular industrial control equipment providers, which could allow hackers to cause major operational disruption.
Security vendor Indegy revealed that the vulnerability affects Unity Pro, the flagship software for managing and programming Schneider Electric industrial controllers.
“Regardless of the SCADA/DCS applications in use, if Schneider Electric controllers are deployed, this software will be used on the engineering workstations,” it wrote. “This makes this attack relevant across virtually any process controlled by these PLCs. Since Schneider Electric is one of the largest industrial control equipment providers, this vulnerability is a major concern.”
The RCE bug resides in the “Unity Pro PLC Simulator” module which tests code prior to execution, and is present in all versions of the software.
It would effectively enable a remote hacker to impact the physical environment of any facility running the software, for example, turning off a city’s power supply.
The good news is that Schneider Electric has now released an updated version of the software thanks to the responsible disclosure of the bug by Indegy, which IT teams are urged to implement ASAP.
Tripwire senior director, Tim Erlin, argued that industrial control systems should always be kept air-gapped from the internet so they can’t be remotely attacked.
“While that may seem obvious to many people that control systems shouldn’t be directly accessible from the internet, it’s also a fact that many of these systems are,” he explained.
“In cases where a system can’t be patched or otherwise protected, Schneider customers should be diligently monitoring for any hint of exploit activity.”
Mike Ahmadi, global director of critical systems security at Synopsys , praised Schnieder for its quick response in issuing the patch .
“This is a sign of a mature organization with a solid cybersecurity incident management plan,” he said.
“As someone who has worked with Schneider in the past I know they expend considerable effort in internal cybersecurity vulnerability testing, as well as incident response."