A maker of prominent industrial-control software acknowledged a potentially critical vulnerability in two of its products after the U.S. Department of Homeland Security and the British National Cyber Security Centre warned critical-infrastructure facilities controlling electricity, water, and oil and gas operations about potential computer attacks from Russia.
“In multiple instances, the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities,” the DHS said in a joint statement with the FBI, according to CNET.
The flaws, discovered by security company Tenable Research, affected software from Schneider Electric, a France-based company that develops digital tools for critical infrastructure. The company’s software is used in critical infrastructure around the world, with high demand in China, Australia, the U.S. and Western Europe.
Researchers say that exploiting the vulnerability successfully could give hackers complete control of the underlying system and allow them to move laterally through the network.
A hacker could theoretically gain access to the human-machine interface (HMI) —technology used by an individual to control the industrial system — and potentially shut down or disrupt operations.
“An attacker can completely take over the machine that is being used to program the component of the industrial control system,” said Dave Cole, chief product officer at Tenable. “There’s any of a number of ways that this could be used for industrial espionage or even destruction.”
On March 16, the U.S. blamed the Russian government for a campaign of cyber attacks stretching back at least two years that targeted the U.S. power grid, marking the first time the United States has publicly accused Moscow of hacking into American energy infrastructure.