The software used to program and deploy code to various Schneider Electric industrial controllers has a weakness that could allow hackers to remotely take over engineering workstations.
The software, known as Unity Pro, runs on PCs used by engineers and includes a simulator for testing code before deploying it to programmable logic controllers (PLCs). These are the specialized hardware devices that monitor and control mechanical processes — spinning motors, opening and closing valves, etc. — inside factories, power stations, gas refineries, public utilities and other industrial installations.
Researchers from industrial cybersecurity firm Indegy found that unauthenticated attackers could execute malicious code on Windows computers where the Unity Pro PLC simulator is installed. That code would run with debug privileges leading to a complete system compromise.
Since Unity Pro is typically installed on engineering workstations, a compromise of those systems would provide attackers with the ability to reprogram in-production PLCs and interfere with critical processes. Furthermore, they could provide them with access to intellectual property such as secret recipes for products that are being manufactured and which can be derived from the legitimate programs deployed to PLCs.
According to the Indegy researchers, the Unity Pro PLC simulator opens a network service on workstations that listens on a specific TCP port and allows remote computers to send control code packaged in a proprietary format to the simulator.
Any computer that can communicate with the engineering workstation over the network can send .apx files to be executed by the Unity Pro PLC simulator without authentication. The simulator supports binary formats for different Schneider Electric PLCs, including for those using the x86 architecture.
The Indegy researchers found that they can craft an .apx file that contains malicious x86 instructions and which the Unity Pro software will execute in a child process.
The problem is that this process runs with debug privileges on Windows so you can do anything you want to the machine, said Mille Gandelsman, CTO of Indegy. Breaking out of this process is trivial because there is no sandbox or code isolation, he said.
Because of their privileged position, engineering workstations are what Gandelsman calls the crown jewels of industrial control networks. Even if there are firewalls separating PLCs from the rest of the network, engineering workstations will always be whitelisted and will be able to communicate with them because that’s their role.
According to a Schneider Electric security advisory regarding this issue, there are is at least one limiting factor: the attack will only work if there’s no other application program running inside the PLC simulator or if that application is not password protected.
Because of this, the newly released Unity Pro version 11.1 will not allow the simulator to be launched without an associated application. However, “it is up to the user to select the Unity PRO default application to be launched by the simulator, and to protect this application program by a password,” the company said in the advisory.
Schneider Electric did not immediately respond to a request for comment.
Another limiting factor is that a potential attacker already needs to have access to a computer on the network that can communicate with the Unity Pro engineering workstation in the first place.
Access to such a computer can be obtained in a number of ways, including through malware attacks, other vulnerabilities and even malicious insiders. However, this vulnerability highlights the importance of proper network segmentation, where industrial control assets, including engineering workstations, are isolated from a company’s general IT network.