Critical Flaws in Industrial Software Left US Infrastructure Wide Open to Hackers

Photo: AP

Vulnerabilities in two applications widely used by manufacturers and power plant operators may have given hackers a foothold in America’s critical infrastructure, prior to being discovered by a Maryland-based cybersecurity firm.

Tenable announced Wednesday that flaws in two human-machine interface (HMI) tools developed by Schneider Electric, a global energy management and automation company, are being fixed after Tenable’s researchers discovered that remote attackers could easily access the tools.

Advertisement

Specifically, Schneider’s InduSoft Web Studio, which is used for real-time operations management in the production of oil and gas, among various other industries, and InTouch Machine Edition, human-machine interface SCADA software, were both affected, according to Tenable.

Schneider, which has issued software patches to address the problem, did not immediately respond to a request for comment.

SCADA, or supervisory control and data acquisition, is an industry control system used in everything from manufacturing to power plants to space stations. (Notably, the SCADA system on the International Space Station was inadvertently infected with malware in 2008 thanks to an astronaut carrying an infected USB drive.)

According to Tenable, the flaws researchers say they found in Schneider’s software would have allowed a malicious hacker to execute arbitrary code without the use of credentials. Worse, it may have also enabled the attacker to move laterally through the victim’s network and gain access to other critical systems, the company said.

Advertisement

“Given the widespread prevalence and market share of the affected software in the [operational technology] space, urgent attention and response from affected users are required,” Tenable said.

In a statement, Tenable highlighted recent warnings issued by the FBI and Department of Homeland Security about Russian state-sponsored hackers targeted US critical infrastructure, including energy, nuclear, and commercial entities, such as water plants and airports.

Advertisement

“DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks,” the government warned.

The hackers observed by the US agencies were able to move laterally through the networks they infiltrated, gathering intelligence on industry control systems, likely including SCADA.

Advertisement

Share This Story

About the author

Dell Cameron

Privacy, security, tech policy | Got a tip? Email: dell@gizmodo.com | Send me encrypted texts using Signal: (202)556-0846

EmailTwitterPosts
PGP Fingerprint: A70D 517E FB9A 02C9 C56E 86D5 877E 64E7 10DF A8AEPGP Key
OTR Fingerprint: 2374A8EA 6D2B7712 0D82D659 C0FE8253 A3F080FD