Vulnerabilities in two applications widely used by manufacturers and power plant operators may have given hackers a foothold in America’s critical infrastructure, prior to being discovered by a Maryland-based cybersecurity firm.
Tenable announced Wednesday that flaws in two human-machine interface (HMI) tools developed by Schneider Electric, a global energy management and automation company, are being fixed after Tenable’s researchers discovered that remote attackers could easily access the tools.
Specifically, Schneider’s InduSoft Web Studio, which is used for real-time operations management in the production of oil and gas, among various other industries, and InTouch Machine Edition, human-machine interface SCADA software, were both affected, according to Tenable.
Schneider, which has issued software patches to address the problem, did not immediately respond to a request for comment.
SCADA, or supervisory control and data acquisition, is an industry control system used in everything from manufacturing to power plants to space stations. (Notably, the SCADA system on the International Space Station was inadvertently infected with malware in 2008 thanks to an astronaut carrying an infected USB drive.)
According to Tenable, the flaws researchers say they found in Schneider’s software would have allowed a malicious hacker to execute arbitrary code without the use of credentials. Worse, it may have also enabled the attacker to move laterally through the victim’s network and gain access to other critical systems, the company said.
“Given the widespread prevalence and market share of the affected software in the [operational technology] space, urgent attention and response from affected users are required,” Tenable said.
In a statement, Tenable highlighted recent warnings issued by the FBI and Department of Homeland Security about Russian state-sponsored hackers targeted US critical infrastructure, including energy, nuclear, and commercial entities, such as water plants and airports.
“DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks,” the government warned.
The hackers observed by the US agencies were able to move laterally through the networks they infiltrated, gathering intelligence on industry control systems, likely including SCADA.