back to article Schneider Electric plugs gaping hole in industrial control kit

A vulnerability in Schneider Electric’s industrial controller management software created a possible mechanism for hackers to plant malicious code on industrial networks. Industrial cybersecurity firm Indegy discovered the recently resolved flaw in Schneider Electric’s flagship industrial controller management software, Unity …

  1. JeffyPoooh

    "...gaping hole..."

    I'm not convinced that there's a huge practical difference between a 'gaping' security hole versus a 'small' subtle security hole.

    Some difference yes. Just not a huge practical difference.

  2. Pascal Monett Silver badge

    "nothing specific to cybersecurity was inherently built within them"

    Systems built 20 years ago did not need cybersecurity because there was no such thing.

    Industrial equipment takes time to update, no surprise there.

    1. Lotaresco

      Re: "nothing specific to cybersecurity was inherently built within them"

      "Systems built 20 years ago did not need cybersecurity because there was no such thing."

      Oomph! That's a bit wide of the mark. Ignoring the silly and irritating term "cybersecurity", which wasn't in vogue at the time, there was awareness among professionals that IT security was essential and a priority. Netscape Communications had implemented HTTPS in 1994. Computer security and the need for it had become a hot topic a decade before when, in 1984, Schifreen and Gold were arrested for the Prestel hack.

      Security was rather basic in most cases and consisted of security through obscurity, being the best that could be done at the time. "Don't publish the phone numbers for your modems." was a standard approach along with "Lock up your data in a central data centre." Industrial control systems at the time were a mixed bag. Pneumatic logic (pretty much unhackable even today) was as likely to be found as electronic logic and was both reliable and cheaper than the electronic systems of the time. Later electronic systems were rarely used remotely and if they were remote tended to be on unidirectional links.

      It's safer to say that twenty years ago that internet connectivity for industrial control equipment wasn't a requirement. What has caused problems is the failure of those building industrial control systems to realise how quickly hackers work to develop exploits. Control systems are installed with an expectation that they will have a twenty five year operating life. That assumption ignores the more usual IT technical refresh cycle of five years and the rapid evolution of new exploits.

      1. Pascal Monett Silver badge

        What has caused problems is the failure of those building industrial control systems to realise how quickly hackers work to develop exploits.

        I see your point and agree with you fully. I would just like to append to this by saying that it was not a failure on the industrial control systems maker's part to not foresee the impact of the Internet on the security of their components.

        The Internet has revolutionized our entire society in less time than it takes to reach voting age. Every part of our society needs to adapt, and this is just a normal consequence of things.

  3. Jeffrey Nonken

    Well, 25 years ago I was writing firmware for Industrial Process Control, so I suppose this was all my fault.

    Hah hah. Perhaps we were naive and short-sighted, but understand that the Internet wasn't A Thing yet. It was there, but had very limited use. It never occurred to us that we'd need or even want to hook into it, or any clue what it would become.

    First, I'd have to dial into my ISP, then get into Usenet to download my pr0n. Usenet was intended for text, so it was mostly discussions, but there were also automated e-mail lists. (Think "Yahoo! Groups.") Speaking of Yahoo!, it didn't exist yet. Google was in the distant future. Searches were done using Gopher, often via Archie, Jughead or Veronica. IRC handled your chat rooms. Assuming you were online in the first place. Wolfenstein 3D was a year away. We were using MSDOS on 80286- and 80386-based computers on a Novell network.

    Our own protocols weren't even inter-connectable without huge effort. One of my biggest projects was one allowing our main networking protocol to talk to HART devices via one of our small systems devices -- an enormous kludge.

    I can't speak for the minds of my fellows, but none of us were thinking in terms of the Internet for inter-connecting systems, and we had no more clue as to the need for security than the very people who were making the 'net.

    I certainly didn't expect to be carrying the Internet around on a phone in my pocket. Why would I be expecting people to be able to hack into a power station from their living room? Why on Earth would anybody want to connect a power station to a public network anyway?

  4. Anonymous Coward

    Industrial cybersecurity firm Indegy

    The vulnerability in Unity Pro allows any user to remotely execute code directly on any computer on which this product is installed, in debug privileges

    How about running it on a private VPN with a hardware dongle at either end to provide security. Just saying here :)

    1. Lotaresco

      Re: Industrial cybersecurity firm Indegy

      "How about running it on a private VPN with a hardware dongle at either end to provide security. Just saying here :)"

      Because it's just ever so slightly more complicated than that. There are good hardware encryption devices available but most customers flinch at the up-front and maintenance costs. Also it's not possible for private customers to get hold of the best algorithms and keys because governments keep those to themselves. You'll notice on the order forms that if you want the top-of-the-range encryption standards that you need to get the order approved by a government agency. The maintenance costs accrue because you either need access to both ends for key changes (which should be done several times a year) or you need a hardware device that can be managed out of band and that brings in a raft of other problems.

      The easiest way to implement what you are asking for is to have a point-to-point link from one set of premises to another via a firewall pair. It doesn't solve the key management problem.

      If what you are proposing is to have laptops or remote desktops as the endpoints then you need to consider how you issue the certs and "dongles" in a manner that prevents interception.

      It's not impossible, many organisations manage it, but it ends up relatively costly and also frustrating for the end users who usually have to arrive on site and prove who they are before they can get the laptops/keys/dongles.

      Having gone to all that trouble, how do you make sure that the end device is not compromised? It's not unknown for an engineer to work on a company system by day then pop off back to his hotel and surf "***Yes Big Boy*** Donkey Porn!!" all night on the Hotel WiFi. All the VPN in the world then will not stop the malware that was dumped onto his laptop invading the company SCADA when the laptop is connected to the management LAN via a VPN.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like