A vulnerability in Schneider Electric computer control systems popular in heating, air conditioning and other building systems could allow hackers to take control of them, researchers at security firm Armis warn.
The remote code execution vulnerability puts millions of devices at risk, Armis said in a report out Tuesday. The affected Modicon programmable logic controllers (PLCs) are also used widely in manufacturing, automation applications and energy utilities.
The vulnerability could be used to deploy a variety of attacks, from launching ransomware to altering the commands to machinery.
“It’s a very wide range,” said Ben Seri, vice president of research at Armis. “It does reach on one end nation-states and sophisticated attacks in that type of scale, but it can also just be the next logical steps for ransomware attackers.”
The vulnerability would allow attackers to hijack a command that would leak a password hash from the device’s memory. Once they have that, they can authenticate its use and downgrade other security measures, ultimately gaining full control over the PLC.
The attack requires network access, making it harder, but not impossible to deploy in PLCs segmented from other systems, as is often the case in industrial settings.
Armis first flagged the vulnerability to Schneider Electric in November. The company is still developing a patch and says it has collaborated with multiple researchers on the vulnerability.
“Schneider Electric is committed to collaborating openly and transparently,” Thomas Eck, a spokesperson for Schneider Electric, wrote in a statement. The company is encouraging customers to follow mitigation guidance issued by the company.
Industrial control systems or ICS, the operating ecosystem for industrial processes, have become an increasingly popular target for ransomware gangs and other cybercriminals, as well as nation-state hackers. In 2017 a malware known as Trisis or Triton disrupted a Saudi Arabia petrochemical plant. The malware was designed to infiltrate Schneider Electric’s safety instrument systems.
The vulnerability in the Schneider controllers points to a much wider industry problem, experts say. Many legacy systems in industrial environments are not designed with encryption protocols, one of the strongest forms of protection for data.
“It’s very difficult for Schneider and other manufacturing vendors to create secure protections for these programmable logic controllers because the underlying protocol they use doesn’t have encryption or authentication,” says Seri.
“Whatever they add on top of it, that tries to mimic secure communications ends up falling short in various ways, because the underlying protocol is not secure,” he added.
Bryson Bort, CEO of IT security firm Scythe, said while the vulnerability is bad, Schneider Electric is far from the only manufacturer facing risks from unencrypted systems.
“The industry-wide challenge is that encryption and authentication are not a standard in operational technology devices,” he said.
Both Bort and Seri say that the industry has been slow to encrypt their environments because of the time and complications that come with the process.
But the Schneider Electric PLCs are a prime example of why encryption matters, Seri said.
“They tried to use other authentication, but it’s nearly impossible to do so without proper encryption,” said Seri. “I do see this as an enduring problem. There has to be a need from the field, that this is a requirement, this is something that we should strive to do.”
Authentication and encryption technologies are central to the Biden administration’s executive order overhauling software used by the federal government. The Energy Department has pushed for similar action from the electric industry to fortify its cybersecurity defenses, but the effort is largely voluntary on the part of the industry.