Security flaws in Schneider Electric software that is used in critical infrastructure systems could be exploited to take control of and potentially cripple such systems, according to cybersecurity firm Tenable.
On May 2, Tenable issued an alert about the vulnerabilities, which are remote code execution vulnerabilities in Schneider Electric’s InduSoft Web Studio and InTouch Machine Edition software. The software is used in manufacturing, oil and gas, water, automation and wind and solar power facilities.
“If exploited, the vulnerability could give cybercriminals complete control of the underlying system. Attackers would also be able to use the compromised system to move laterally through the network, exposing additional systems to attack, including human-machine interface clients,” Tenable says in a statement. “In a worst-case scenario, attackers could use the vulnerability to disrupt or even cripple plant operations.”
Schneider Electric has issued patches for the software flaws. The company urged affected customers to deploy the patches as soon as possible because the exploits “could allow an un-authenticated malicious entity to remotely execute code with high privileges.”
The disclosure comes amid heightened concerns about attacks on the energy and utilities industries. In mid-March, the Department of Homeland Security reported that it, along with the FBI, had determined that “Russian government cyber actors” had launched “a multi-stage intrusion campaign” that targeted the networks of small commercial facilities in the energy and other critical infrastructure sectors. DHS offered utilities numerous practical tips for countering such cyberattacks.