Schneider Electric thanks PHDays winner of hacking contest

At the beginning of April, Schneider Electric released several updates and patches covering vulnerabilities in the software used to build SCADA and HMI systems at nuclear power plants, chemical plants, and other critical facilities.

InTouch Machine Edition 2014 version 7.1.3.2 and InduSoft Web Studio 7.1.3.2, as well as previous versions of these products, were at risk. Among the corrected errors: the ability to execute arbitrary code, the storage and transmission of confidential data in unencrypted form. Even a novice hacker can take advantage of these vulnerabilities to carry out an attack. The manufacturer recommends that users install the released patches as soon as possible.

Vulnerabilities were discovered by Positive Technologies researchers Ilya Karpov and Kirill Nesterov during the assessment of the level of security of industrial systems. In addition, a large number of errors in the same software products were found by participants in the Critical Infrastructure Attack contest , which took place at the Positive Hack Days IV international security conference. Schneider Electric thanked the winner of the contest Alisa Shevchenko ( Esage Lab ) for the vulnerabilities found . However, the company did not mention some vulnerabilities in the bulletin and did not create CVE-records for them. Unfortunately, this practice is becoming more common: manufacturers correct security errors, but do not always recognize their presence.

Recall that the first time a competition for the analysis of the security of industrial control systems (ACS TP) was held at Positive Hack Days in 2013 under the name Choo Choo Pwn. Then, in the laboratory of Positive Technologies, a game model of the railway was created, all of whose elements - trains, barriers, cranes - are controlled with the help of an automated process control system assembled on the basis of three SCADA systems and three industrial controllers.

In 2014, the competitive infrastructure was radically changed, which opened up opportunities for detecting zero-day vulnerabilities in a wider range of industrial protocols and control systems. In addition to transport infrastructure, the contestants could take control of the city lighting system, thermal power plants and various robots.

At the same time, all competitive SCADA systems and controllers are used at critical facilities in various industries, and the actual exploitation of vulnerabilities can lead to disastrous consequences for residents of a modern city. Following the principles of responsible disclosure, participants in the Critical Infrastructure Attack contest must first report the vulnerabilities to the manufacturers, and only after fixing the problems will detailed information about them be published.

The next competition for the analysis of security of automated process control systems will be held at the fifth Positive Hack Days forum, which will be held on May 26 and 27 in Moscow. Details on the website phdays.ru .