Schneider Electric thanked the winner of the PHDays hacker contest

In early April, Schneider Electric released several updates and patches covering vulnerabilities in software used to build SCADA and HMI systems in nuclear power plants, chemical plants and other critical facilities.

InTouch Machine Edition 2014 version 7.1.3.2 and InduSoft Web Studio 7.1.3.2, as well as previous versions of these products, are at risk. Among the corrected errors: the possibility of executing an arbitrary code, storing and transmitting confidential data in unencrypted form. Even a novice hacker can take advantage of these vulnerabilities to commit an attack. The manufacturer recommends that users install the released patches as soon as possible.
')
Vulnerabilities were discovered by Positive Technologies researchers Ilya Karpov and Kirill Nesterov during their work on assessing the level of security of industrial systems. In addition, a large number of errors in the same software products were found by the participants of the Critical Infrastructure Attack competition, which was held at the International Conference on Security Positive Hack Days IV. Schneider Electric thanked the winner of the competition Alisa Shevchenko ( Esage Lab ) for the vulnerabilities found. However, the company did not mention some vulnerabilities in the bulletin and did not create CVE-records for them. Unfortunately, this practice is becoming more common: manufacturers correct security errors, but do not always recognize their presence.

Recall that the first time the competition for the analysis of the security of industrial control systems (ACS TP) was held at Positive Hack Days in 2013 under the name Choo Choo Pwn. Then, in the laboratory of the company Positive Technologies, a game model of the railway was created, all the elements of which — trains, barriers, cranes — are controlled by means of an automated process control system built on the basis of three SCADA systems and three industrial controllers.

In 2014, the competitive infrastructure was radically changed, which opened up opportunities for detecting zero-day vulnerabilities in a wider range of industrial protocols and control systems. In addition to the transport infrastructure, the contest participants could take control of the urban lighting system, CHP and various robots.

At the same time, all competitive SCADA systems and controllers are used at critical facilities in various industries, and the actual exploitation of vulnerabilities can lead to disastrous consequences for residents of the modern city. Following the principles of responsible disclosure, participants in the Critical Infrastructure Attack competition must first report the vulnerabilities found to the vendors, and only after the problems have been fixed will detailed information about them be published.

The next competition for analyzing the security of the automated process control system will be held at the fifth forum Positive Hack Days, which will be held on May 26 and 27 in Moscow. Details on the site phdays.ru .