Researchers at a security platform named Armis have recently discovered a critical Schneider Electric PLCs vulnerability. It poses a threat of data and physical security attacks on industrial facilities. Essentially, millions of devices across the globe use these PLCs (programmable logic controllers). To be more precise, Modicon M340, M580, and other similar controllers developed by Schneider Electric have become affected by the vulnerability.
A remote attacker can abuse the Schneider Electric PLCs vulnerability to obtain absolute and undetectable control over the chips. Consequently, it may prompt remote code execution, security compromises, and malware installation. These chips are used in building services, manufacturing, automation, HVAC, energy utilities, and other modern applications.
Armis Researchers Dubbed the Vulnerability Modipwn
Security researchers at Armis, who have discovered the Schneider Electric PLCs vulnerability in the first place, dubbed the vulnerability Modipwn. Armis is asset visibility and security vendor. They claim an attacker can exploit the flaw to hijack the devices by bypassing existing security mechanisms in PLCs. As a consequence, it can cause an impact on broader industrial setups. Along these lines, the vulnerability got assigned as CVE-2021-22779.
The vulnerability allows an attacker to exploit undocumented commands and attain a complete takeover of one of these chips without authorization. Following that, it leads to remote code execution, overwriting memory, and leaking a hash needed to assume secure connections. In return, it can badly affect the security of workstations managing the Schneider Electric PLCs. Meanwhile, it enables the cyber threat actor to re-configure the PLC without a password.
The vice president of research at Armis, Ben Seri, calls the problem merely a symptom. He believes that it is indicative of much deeper issues surrounding the security of industrial control systems. He thinks it is the result of a lack of attention during the development process. In his opinion, Schneider Electric PLCs will remain vulnerable even if Modipwn gets fully patched.
Schneider Electric Response
Schneider Electric praised the security researchers at Armis. Furthermore, it began to work with the company in the pursuit to validate its claims and figure out remediation steps. In a statement issued by Schneider Electric, it has acknowledged that vulnerabilities uncovered by the security firm affect Schneider Electric’s offers. Nevertheless, complying with guidance and specific instructions can work as mitigation against potential impacts. At the same time, Schneider Electric presented the patches to eliminate the PLCs’ vulnerability.
Recommendations for Securing IoT Devices and Control Systems
Recently, security researchers have noticed a growing problem in the shape of industrial control systems vulnerabilities. However, it is not that easy for an attacker to control PLCs. In the pursuit of exploiting a PLC, an attacker has to ascertain access to a secured network in the first place. Moreover, if the PLCs are not internet-facing, the attack is not so straightforward.
- Some other recommendations are given below:
- Real-time monitoring of internal and external internet-connected resources.
- Privacy and access administration approaches, such as the zero-trust model.
- Deactivating universal plug-and-play practices.
- Resorting to proactive security services in the wake of increasing cyberattacks on organizations.
References
Vulnerability in PLCs made by Schneider Electric for undetectable remote takeover
Schneider Electric flaws can potentially enable remote code execution
Remote code execution vulnerability in Schneider Electric Modicon PLCs
Possibility of remote takeover attacks by the exploitation of Schneider Electric PLCs vulnerability
The exploitation of a critical vulnerability can hack Schneider Electric Modicon PLCs
