Workstation software flaw exposes industrial control systems to hacking

Attackers can send malicious code to industrial engineering software to take over workstations used to program and control PLCs

The software used to program and deploy code to various Schneider Electric industrial controllers has a weakness that could allow hackers to remotely take over engineering workstations.

The software, known as Unity Pro, runs on PCs used by engineers and includes a simulator for testing code before deploying it to programmable logic controllers (PLCs). These are the specialized hardware devices that monitor and control mechanical processes -- spinning motors, opening and closing valves, etc. -- inside factories, power stations, gas refineries, public utilities and other industrial installations.

Researchers from industrial cybersecurity firm Indegy found that unauthenticated attackers could execute malicious code on Windows computers where the Unity Pro PLC simulator is installed. That code would run with debug privileges leading to a complete system compromise.

Since Unity Pro is typically installed on engineering workstations, a compromise of those systems would provide attackers with the ability to reprogram in-production PLCs and interfere with critical processes. Furthermore, they could provide them with access to intellectual property such as secret recipes for products that are being manufactured and which can be derived from the legitimate programs deployed to PLCs.

According to the Indegy researchers, the Unity Pro PLC simulator opens a network service on workstations that listens on a specific TCP port and allows remote computers to send control code packaged in a proprietary format to the simulator.

Any computer that can communicate with the engineering workstation over the network can send .apx files to be executed by the Unity Pro PLC simulator without authentication. The simulator supports binary formats for different Schneider Electric PLCs, including for those using the x86 architecture.

The Indegy researchers found that they can craft an .apx file that contains malicious x86 instructions and which the Unity Pro software will execute in a child process.

The problem is that this process runs with debug privileges on Windows so you can do anything you want to the machine, said Mille Gandelsman, CTO of Indegy. Breaking out of this process is trivial because there is no sandbox or code isolation, he said.

Because of their privileged position, engineering workstations are what Gandelsman calls the crown jewels of industrial control networks. Even if there are firewalls separating PLCs from the rest of the network, engineering workstations will always be whitelisted and will be able to communicate with them because that's their role.

According to a Schneider Electric security advisory regarding this issue, there are is at least one limiting factor: the attack will only work if there's no other application program running inside the PLC simulator or if that application is not password protected.

Because of this, the newly released Unity Pro version 11.1 will not allow the simulator to be launched without an associated application. However, "it is up to the user to select the Unity PRO default application to be launched by the simulator, and to protect this application program by a password," the company said in the advisory.

Schneider Electric did not immediately respond to a request for comment.

Another limiting factor is that a potential attacker already needs to have access to a computer on the network that can communicate with the Unity Pro engineering workstation in the first place.

Access to such a computer can be obtained in a number of ways, including through malware attacks, other vulnerabilities and even malicious insiders. However, this vulnerability highlights the importance of proper network segmentation, where industrial control assets, including engineering workstations, are isolated from a company's general IT network.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?