Radiflow uncovers security flaw in a Schneider Electric controller device
September 2018 by Radiflow
Radiflow, a provider of industrial cybersecurity solutions for critical infrastructure, today announced that the company has revealed and contributed to the remediation of a security vulnerability in a Schneider Electric Modicon Controller that severely exposed the safety and availability of the ICS networks on which these devices were installed.
Radiflow’s threat intelligence research team discovered this security vulnerability on Schneider Electric’s Modicon M221 Controller for which unauthorized users could have remotely disconnected the device from communicating in the ICS network by sending crafted packets that induce this unwanted behavior.
An unauthorized user could have easily exploited this vulnerability to execute a synchronized attack and cause a number of these controllers to stop communicating. This type of unauthorized action would allow a cyber-attacker to massively disconnect the effected PLCs from the HMI leaving the operator with no way to view and control the physical processes on the OT network, while instantly harming the safety and reliability of the ICS systems. The recovery from such an attack would require a reboot of the attacked PLCs and physical access to the controllers, which would cause significant downtime to the ICS network. This vulnerability was uncovered by Radiflow’s CTO, Yehonatan Kfir, as part of the company’s ongoing research into detecting new cybersecurity vulnerabilities. This research conducted by Kfir and the company’s threat intelligence research team involved the reverse engineering of the control protocol used by the effected controller and detecting the exact packet structure that caused the shutdown. At least two use cases to exploit this CVE related to the same issue with the Modicon firmware implementation, both of which could be executed remotely, were detected by Radiflow.
At the time that this vulnerability was discovered, Radiflow incorporated the cyberattack signature of the vulnerability into its iSID industrial threat detection system, which immediately positioned the company’s customers to be protected against the exploit while it was being remediated by Schneider Electric.
“For this specific vulnerability, we prevented a potentially dangerous exploit that could have caused extensive damage to the safety, security and operations of numerous industrial enterprises and critical infrastructure operators,” said Yehonatan Kfir, CTO at Radiflow. “Equally as important, we are proud of our threat intelligence research team for its ongoing efforts of detecting new vulnerabilities and improving the cybersecurity protection capabilities of our solutions and the overall operations of our customers.”
Radiflow discovered this vulnerability approximately two months ago and immediately reported it to Schneider Electric, who has since remedied the vulnerability. This vulnerability was registered as CVE-2018-7789. “Schneider Electric would like to thank Yehonatan Kfir of Radiflow for all his efforts related to identification and coordinate on of this vulnerability,” wrote Schneider Electric in a published security notification about the resolution to this flaw.
More information is available at ICS-CERT announcement https://ics-cert.us-cert.gov/adviso....
Earlier this year, Radiflow announced that the company’s threat intelligence team detected a cryptocurrency malware attack on the operational technology network of a waste water facility customer in Europe. This malware attack was designed to increase CPU and network bandwidth consumption of devices on the customer’s network in order for the attackers to mine the Monero cryptocurrency. This attack, which would have significantly slowed the response times of the devices on this operational technology network, was prevented by Radiflow’s iSID industrial threat detection system.