Vote 2020 graphic
Everything you need to know about and expect during
the most important election of our lifetimes

Critical Flaws in Industrial Software Left US Infrastructure Wide Open to Hackers

Illustration for article titled Critical Flaws in Industrial Software Left US Infrastructure Wide Open to Hackers
Photo: AP

Vulnerabilities in two applications widely used by manufacturers and power plant operators may have given hackers a foothold in America’s critical infrastructure, prior to being discovered by a Maryland-based cybersecurity firm.

Advertisement

Tenable announced Wednesday that flaws in two human-machine interface (HMI) tools developed by Schneider Electric, a global energy management and automation company, are being fixed after Tenable’s researchers discovered that remote attackers could easily access the tools.

Specifically, Schneider’s InduSoft Web Studio, which is used for real-time operations management in the production of oil and gas, among various other industries, and InTouch Machine Edition, human-machine interface SCADA software, were both affected, according to Tenable.

Advertisement

Schneider, which has issued software patches to address the problem, did not immediately respond to a request for comment.

SCADA, or supervisory control and data acquisition, is an industry control system used in everything from manufacturing to power plants to space stations. (Notably, the SCADA system on the International Space Station was inadvertently infected with malware in 2008 thanks to an astronaut carrying an infected USB drive.)

According to Tenable, the flaws researchers say they found in Schneider’s software would have allowed a malicious hacker to execute arbitrary code without the use of credentials. Worse, it may have also enabled the attacker to move laterally through the victim’s network and gain access to other critical systems, the company said.

“Given the widespread prevalence and market share of the affected software in the [operational technology] space, urgent attention and response from affected users are required,” Tenable said.

Advertisement

In a statement, Tenable highlighted recent warnings issued by the FBI and Department of Homeland Security about Russian state-sponsored hackers targeted US critical infrastructure, including energy, nuclear, and commercial entities, such as water plants and airports.

“DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks,” the government warned.

Advertisement

The hackers observed by the US agencies were able to move laterally through the networks they infiltrated, gathering intelligence on industry control systems, likely including SCADA.

Senior Reporter, Privacy & Security

Share This Story

Get our newsletter

DISCUSSION

Nothing related to critical information should be on the public internet. PERIOD.

Most of these facilities are 30+ years old. Many of them have software that is 20+ years old running on computers long since gone out of production. They do their jobs fine, but they were never prepared for the internet. Software from new companies isn’t even prepared for it, always being 1 0-day away from being compromised.

Its all cute when we get our *gram hacked and lose some risque pics. Its a whole different thing when supposedly responsible people leave life critical systems open to all the people that want to do us harm. There are 0 good reasons to have powerplants and other major infrastructure on the open internet.