Critical Infrastructure Security, Network Security, Vulnerability Management

Patched bug could have allowed attackers to remotely disconnect PLC devices from ICS systems

Energy management and automation firm Schneider Electric updated its Modicon M221 programmable logic controller for industrial controls systems after researchers discovered a vulnerability that could allow attackers to remotely disconnect the device.

The flaw, designated CVE-2018-7789, is classified as an improper check for unusual or exception conditions. While such conditions wouldn't normally occur, attackers can deliberately trigger them by sending maliciously crafted packets.

In a company security notification, Schneider Electric reported incorporating a fix for the vulnerability in Modicon M221 Firmware V1.6.2.0, delivered within SoMachine Basic V1.6 SP2.

The bug was assigned only a medium-severity CVSS score of 4.8, but the implications of exploiting it could have been severe, according to critical infrastructure cybersecurity solutions provider Radiflow, whose CTO Yehonatan Kfir discovered the problem roughly two months ago.

"An unauthorized user could have easily exploited this vulnerability to execute a synchronized attack and cause a number of these controllers to stop communicating," states a press release issued by Radiflow. "This type of unauthorized action would allow a cyberattacker to massively disconnect the affected PLCs from the HMI [human machine interface], leaving the operator with no way to view and control the physical processes on the OT network, while instantly harming the safety and reliability of the ICS systems."

Radiflow further attests that entities attacked in such a manner would have to physically access their PLCs and reboot them -- a process that would result in "significant downtime" to the network. "For this specific vulnerability, we prevented a potentially dangerous exploit that could have caused extensive damage to the safety, security and operations of numerous industrial enterprises and critical infrastructure operators," said Kfir, who uncovered two use cases for exploitation.

Vulnerability detection and proper patch management is particularly important in the ICS space, especially as nation-state actors and even cybercrime groups increasingly target such systems.

Indeed, a new Kaspersky Lab report and corresponding blog post reveals that 41.2 percent of ICS computers protected by the cybersecurity company were attacked by malware at least once in the first half of 2018. This represents a 3.5 percentage point increase over the previous six-month period, and a 4.6 percentage point increase year-over-year.

Despite recommendations to isolate ICS computers from internet-connected systems, the Kaspersky report also notes that 27.3 percent of the aforementioned attack attempts used the internet as the source of infection -- more than any other vector, followed by removable storage media (8.4 percent) and mail clients (3.8 percent).

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.