Schneider Electric Patches Major ICS Vulnerability


Indegy Labs researchers recently discovered a vulnerability [PDF] in Schneider Electric's Unity Pro management software for industrial controllers. The flaw could be leveraged to execute code remotely on any computer running the software.

"Since Schneider Electric is one of the largest industrial control equipment providers, this vulnerability is a major concern," the researchers noted.

The researchers discovered the vulnerability almost six months ago, and disclosed it privately to Schneider Electric at the time, according to Kaspersky Lab.

In response, the company has released a software update that patches the flaw, though all versions of the Unity Pro software prior to and including version 11.1 are affected, Computer Weekly reports.

Earlier this week, Schneider Electric also introduced new Cyber Update services, which automatically distribute the company's OS patches and endpoint protections.

"Not applying the correct industry patches when they are available, or applying the wrong patch, makes our customers' systems and operations vulnerable to cyber attack," Nathalie Marcotte, senior vice president for process automation services at Schneider Electric, said in a statement.

"Improper cyber maintenance creates the greatest risk of a successful cyber attack," Marcotte added. "As our customers transform their operations in the age of the IIoT, it is imperative to make managing cyber security easier and less time consuming."

A new report [PDF] from ForeScout Technologies, based on research conducted by ethical hacker Samy Kamkar, found that common enterprise IoT devices can be hacked in less than three minutes, but can take days or weeks to remediate.

Kamkar looked at seven common IoT devices including IP-connected security systems, smart HVACs, energy meters, video conferencing systems and connected printers. Most of the devices aren't built with embedded security, and of the ones that are, many are operating with dangerously outdated firmware.

"IoT is here to stay, but the proliferation and ubiquity of these devices in the enterprise is creating a much larger attack surface -- one which offers easily accessible entry points for hackers," ForeScout president and CEO Michael DeCesare said in a statement.

A recent eSecurity Planet article offered advice on improving IoT security.