New vulnerability found in systems used in electric, gas industries

Researchers have discovered a new vulnerability in technology widely used to operate critical services such as oil and electric systems that they warn hackers could exploit.

The vulnerability, disclosed Wednesday by cybersecurity firm Tenable, impacts two applications used to program industrial control systems powering critical infrastructure in the United States and elsewhere.

Tenable publicly disclosed the vulnerability after reporting it to Schneider Electric, an international energy management company headquartered in France that produced the applications.

Schneider Electric has already issued patches for the affected systems.

{mosads}

Researchers say that exploiting the vulnerability successfully could give hackers complete control of the underlying system and allow them to move laterally through the network.

A hacker could theoretically gain access to the human-machine interface (HMI) — technology used by an individual to control the industrial system — and potentially shut down or disrupt operations.

“An attacker can completely take over the machine that is being used to program the component of the industrial control system,” said Dave Cole, chief product officer at Tenable. “There’s any of a number of ways that this could be used for industrial espionage or even destruction.” 

The vulnerability affects InduSoft Web Studio, an automation tool used to develop HMI and supervisory control and data acquisition (SCADA) systems, as well as InTouch Machine Edition, a scalable HMI software.

The tools are widely used to design industrial control systems used in the manufacturing, oil and gas, water and solar power industries.

Cole told The Hill that Tenable has seen no real-world evidence of hackers leveraging the vulnerability, but would not rule out the possibility that it has been used in attacks. 

The revelation comes amid heightened scrutiny of vulnerabilities that could impact critical infrastructure after U.S. officials divulged efforts by Russian hackers to target the U.S. energy sector.

U.S. officials revealed in March that hackers backed by the Russian government staged a multiyear cyber campaign against targets in the U.S. energy, nuclear and water industries.

In some cases, hackers gained access to energy sector networks and moved laterally to collect information on industrial control systems and SCADA systems.