Energy management and automation firm Schneider Electric updated its Modicon M221 programmable logic controller for industrial controls systems after researchers discovered a vulnerability that could allow attackers to remotely disconnect the device.
The flaw, designated CVE-2018-7789, is classified as an improper check for unusual or exception conditions. While such conditions wouldn’t normally occur, attackers can deliberately trigger them by sending maliciously crafted packets.
In a company security notification, Schneider Electric reported incorporating a fix for the vulnerability in Modicon M221 Firmware V126.96.36.199, delivered within SoMachine Basic V1.6 SP2.
The bug was assigned only a medium-severity CVSS score of 4.8, but the implications of exploiting it could have been severe, according to critical infrastructure cybersecurity solutions provider Radiflow, whose CTO Yehonatan Kfir discovered the problem roughly two months ago.
“An unauthorized user could have easily exploited this vulnerability to execute a synchronized attack and cause a number of these controllers to stop communicating,” states a press release issued by Radiflow. “This type of unauthorized action would allow a cyberattacker to massively disconnect the affected PLCs from the HMI [human machine interface], leaving the operator with no way to view and control the physical processes on the OT network, while instantly harming the safety and reliability of the ICS systems.”
Radiflow further attests that entities attacked in such a manner would have to physically access their PLCs and reboot them — a process that would result in “significant downtime” to the network. “For this specific vulnerability, we prevented a potentially dangerous exploit that could have caused extensive damage to the safety, security and operations of numerous industrial enterprises and critical infrastructure operators,” said Kfir, who uncovered two use cases for exploitation.
Vulnerability detection and proper patch management is particularly important in the ICS space, especially as nation-state actors and even cybercrime groups increasingly target such systems.
Indeed, a new Kaspersky Lab report and corresponding blog post reveals that 41.2 percent of ICS computers protected by the cybersecurity company were attacked by malware at least once in the first half of 2018. This represents a 3.5 percentage point increase over the previous six-month period, and a 4.6 percentage point increase year-over-year.
Despite recommendations to isolate ICS computers from internet-connected systems, the Kaspersky report also notes that 27.3 percent of the aforementioned attack attempts used the internet as the source of infection — more than any other vector, followed by removable storage media (8.4 percent) and mail clients (3.8 percent).