This week Schneider Electric made recommendations on weaknesses affecting various products, including holes that can be used to control Modicon M221 Programmable Logic Controllers (PLCs).
A total of four vulnerabilities were discovered in the Modicon M221 PLC by researchers from Claroty, an industrial company in the field of cyber security. Three of them were identified independently by employees of Trustwave, a cyber security company. Both Trustwave and Claroty have published blog posts with detailed results.
The security holes, three of which Schneider has classified as high, concern encryption and authentication. The French industrial giant has communicated a number of recommendations that can be implemented by customers to reduce the risk of attacks.
Karl Sigler, senior threat manager at Trustwave, told SecurityWeek that the attacker needed access to the OT network to exploit one of the vulnerabilities.
By bypassing authentication security and direct access to the PLC’s manipulations, an attacker can gain full control over the PLC’s actions, which can be disastrous, depending on the type of OT environment the PLC uses, Sigler explains. This can lead to a complete failure of the control systems or to dangerous situations in which the safety of the systems is endangered.
Yehuda Anikster, senior researcher at Claroty, told SecurityWeek that exploiting vulnerabilities requires intercepting traffic between the EcoStruxure machine design software and the PLC software it focuses on.
In this case, intruders must wait for the engineer or technician to login and enter the password or perform download operations on the M221 using the engineering software, says Anicster. At this point, attackers have everything they need, and they can now extract the encryption key from the recorded network traffic to decrypt the read/write passwords from the traffic.
Once the intruders have received the read/write passwords, they can do anything with the M221 PLC as if they were engineers themselves. This includes downloading the M221 program, downloading (and overwriting) the program to the M221, changing read/write passwords, stop/starting the M221, and much more, the researcher added. For example, attackers can take out all the code running on M221 and steal the logic of the business process. Another possible scenario is to remove all code and change all passwords in M221, block all access to the devices and shut down the PLC in case of a denial of service attack. In addition, cunning attackers can launch a Stuxnet attack and easily change the code to M221 to destroy the company’s devices.
Read more about vulnerabilities in industrial systems during the ICS Cyber Security Conference and the SecurityWeek Security Summits virtual events series.
This week Schneider Electric also informed its customers about critical vulnerabilities affecting its PLC Simulator product, including those enabling random execution of commands and DoS attacks.
He also warned of the critical weakness of the Easergy T300 RTU, which allows the execution of DoS commands and attacks, as well as several highly reliable remote code execution vulnerabilities affecting the Interactive Graphical SCADA System (IGSS) product.
The supplier also advised customers to use advanced security measures to protect the Q Data Radio and J Data Radio equipment in the firewood slaughterhouse, a Russian malware program recently described in detail by the NSA and the FBI.
That’s what it looks like: Another Stuxnet-like vulnerability has been discovered in Schneider Electric’s software.
That’s what it looks like: Schneider Electric corrects weaknesses in Modicon, EcoStruxure products.
@EduardKovacs – Publisher of the Safety Week. He worked for two years as a high school computer science teacher before starting a career in journalism as a security reporter for Softpedia. Edouard has a bachelor’s degree in industrial computer sciences and a master’s degree in computer engineering for electrical engineering.
Previous chronicles of Eduard Kovacs :