Researchers discovered security flaws in two software programs used worldwide to control manufacturing sites, power plants, water systems and solar power facilities, network security company Tenable said Wednesday.
The vulnerabilities would have given potential hackers complete access to industrial controls, remotely allowing them to shut down critical-infrastructure plants in the worst-case scenario, said David Cole, Tenable's chief product officer. The flaws also opened a floodgate for attackers to move throughout an entire network and cripple not only the machine it infected, but every device it's connected to.
The flaws affected two software programs from Schneider Electric, a France-based company that develops digital tools for critical infrastructure. The company's software is popular in China, Australia, the US and western Europe, according to its investor relations notes.
Schneider Electric released patches for these issues on April 6, and urged plant managers to update their systems. The company considered the issue a critical vulnerability.
Hacks against critical infrastructure carry more weight than typical cyberattacks, considering that the effects can result in blackouts and potential life-or-death scenarios as hospitals and cities depend more heavily on technology. In March, the Department of Homeland Security and the FBI issued a warning that Russian hackers have been attempting to hijack US electric grids since March 2016, targeting energy, water, nuclear and manufacturing companies.
Critical infrastructure has become a major target for hackers looking to cause damage, and the vulnerabilities that Tenable discovered could have allowed for a cyberattack on a massive scale.
Attackers "could reprogram the devices in a way that could create safety hazards," Cole said. "That could lead to any number of things, from safety issues to availability issues and even espionage."
The vulnerabilities were hidden in InduSoft Web Studio and in InTouch Machine Edition, both of which help run critical infrastructure run smoothly. The software helps people program machines and tell equipment how to run.
The problem meant that the software could fall victim to a carefully coded vulnerability, with malware packed in that could run remotely. That means an attacker wouldn't need to be near the industrial controls to carry out an attack.
"If they knew someone was programming a logic controller that was from Schneider, it would allow them to take over the machine and potentially interfere with the industrial system," Cole said.
Schneider didn't immediately respond to a request for comment.
It's unclear to tell how many systems have updated their software with Schneider Electric's patches released in April. Researchers from Tenable said they haven't seen this vulnerability used in cyberattacks, but there's also no way to know for sure unless victims announce it.
Unlike most critical infrastructure systems, however, these vulnerabilities are much easier to patch, Cole said. Patching can often be an issue because factories and power plants don't have the time to shut down their system to apply security patches.
That's not the case for these vulnerabilities, Cole said.
"We're talking about a Windows device, so it should be pretty readily updateable," he said.
Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.
iHate: CNET looks at how intolerance is taking over the internet.