A critical security flaw in the InduSoft Web Studio and InTouch Machine Edition applications, both of which are made by Schneider Electric and are used in many industries that rely on automated systems, has been discovered by researchers at the Tenable security company. Tenable's researchers said the popularity of Schneider Electric's tools, combined with the severity of the vulnerability, could endanger many U.S. businesses.
InduSoft Web Studio and InTouch Machine Edition are used for Supervisory Control And Data Acquisition (SCADA) systems, human-machine interfaces (HMIs), and other automation systems. Tenable said in a blog post about its findings that "diverse industries including agriculture, transportation, energy, nuclear power, manufacturing, entertainment, and physical security" rely on SCADA systems and similar infrastructure.
These systems' popularity makes them a prime target for hackers. Compromising a country's or business' infrastructure can be just as harmful as a physical attack (if not more so), and cyber attacks are often harder to attribute to any specific group. Tenable's discovery shows that all of the sectors listed above, which range from the U.S.' food supply to its power grids, could be disrupted by exploiting this vulnerability.
Here's how Tenable described the vulnerability's implications in its blog post:
An unauthenticated remote attacker can leverage this attack to execute arbitrary code on vulnerable systems, potentially leading to full compromise of the InduSoft Web Studio or InTouch Machine Edition server machine. A threat actor can use the compromised machine to laterally transfer within the victims network and to execute further attacks. Additionally, connected HMI clients and OT devices can be exposed to attack.
The good news is that Schneider Electric has already updated InduSoft Web Studio and InTouch Machine Edition to address this vulnerability. The bad news is that it's up to each organization to install the newest versions of these applications themselves. Considering how slow this process can be, that means the vulnerability's impact might still be felt long after it was patched out of the affected software.