On May 2nd, there was an announcement of disclosed vulnerabilities in two applications widely used by manufacturers and power plant operators that may provide hackers with a foothold in America’s critical infrastructure. The flaws affect tools developed by Schneider Electric which are used for managing industrial processes in oil and gas, and other industries.
The new vulnerabilities disclosed and patched today are the latest in a string of disclosures made in the past few months affecting industrial control systems, which are the most sensitive components in our critical infrastructure.
IT Security managers have been making it their priority in the past couple of years to better protect their ICS environments. Part of these network hygiene efforts entail maintaining updated anti-virus programs, patching operating systems and enforcing password policies on devices. The problem arises when a vulnerability emerges that makes it possible for attackers to circumvent all the aforementioned defense mechanisms which are fairly easy to access the systems that control power plant or manufacturing processes.
Unfortunately, cyber security vendors over the past decade have focused their efforts on enterprise IT environments, while neglecting industrial environments. This lack of attention has also been displayed by internal security audit teams at industrial equipment vendors themselves. The result is that vulnerabilities and exploits in industrial software, and industrial controllers, have become pervasive. The combination of lack of attention, together with the fact that most industrial software were designed two decades ago and hasn’t changed much since, creates a perfect environment for vulnerabilities to exist – and for researchers (and attackers) to find them.
One of the most important takeaways from these disclosures is that “the patching process” isn’t only relevant to operating systems, but is crucial to literally every piece of software installed on industrial systems; especially control devices in critical infrastructures. In situations where critical machines can't be patched, which are very common in industrial environments, it’s even more important to make sure tools are in place to monitor for dangerous changes in behavior. This can include intrusion detection systems that can analyze network traffic and device behavior to detect threats and stop bad things before they happen.