.
Kaspersky ICS CERT investigated Schneider Electric’s Unified Messaging Application Services (UMAS) and vulnerabilities in this highly popular protocol, used in multiple industries – from manufacturing to elevator control systems. By exploiting the described vulnerabilities, attackers could gain access to an entity’s entire automation system.
UMAS (Unified Messaging Application Services) is Schneider Electric’s proprietary protocol used to configure, monitor, collect data and control Schneider Electric industrial controllers. The use of the protocol is very widespread among different industries. The issues described by Kaspersky ICS CERT experts relate to unauthorized access to the programmable logic controller (PLC) and the ways cybercriminals take to circumvent authentication.
In 2020, the vulnerability was reported, CVE-2020-28212, which could be exploited by an unauthorized remote attacker to gain control of a programmable logic controller (PLC) with the privileges of an operator already authenticated to the controller. To address the vulnerability, Schneider Electric has developed a new mechanism, Application Password, which is expected to provide protection against unauthorized access to PLCs and unwanted modifications.
An analysis conducted by Kaspersky ICS CERT experts showed that the implementation of the new security mechanism also has flaws. the vulnerability CVE-2021-22779identified in the course of the investigation, could allow a remote attacker to make changes to the PLC, bypassing authentication.
As the investigators found, the main problem was that the authentication data used to “reserve” the device for modification was calculated entirely on the client side, and the “secret” used could be obtained from the PLC without authentication.
To help customers mitigate the aforementioned issues, Schneider Electric has published a seem with safety recommendations. Kaspersky ICS CERT, in turn, recommends the additional use of network monitoring and deep analysis solutions for industrial protocols, such as Kaspersky Industrial CyberSecurity for Networksto monitor and control remote access attempts to PLC devices.
“The threat landscape is constantly evolving, and an organization’s security strategy must also constantly evolve to meet new challenges. Currently, building a cybersecurity system is not a final state, but an ongoing proactive process – which is proven by the example of the UMAS protocol. We are grateful that Schneider Electric was able to quickly respond to discovered vulnerabilities and provide its customers with the appropriate solution and recommendations. However, our advice to everyone responsible for security within a company is to implement special solutions.”
Pavel Nesterov, security expert at ICS CERT Kaspersky.
To keep your ICS computers safe from various threats, Kaspersky experts recommend:
- Regularly update operating systems and application software that are part of the company’s network. Apply security patches and patches to OT computer and network equipment as soon as they become available.
- Conduct regular security audits of IT and OT systems to identify and eliminate potential vulnerabilities
- Use the network traffic monitoring, analysis and detection product ICS Kaspersky Industrial CyberSecurity for Networks for better protection against attacks that potentially threaten technology processes and key business assets. The special Command Control module detects the exploitation of vulnerabilities in the UMAS protocol, when an attacker tries to execute the “Reserve controller” command. Another Network Integrity Control module logs unauthorized connections to the network. All events are combined into an incident and sent to the administrator for further investigation.
- Implement dedicated security training for IT security teams and OT engineers to improve the response to new and advanced malicious techniques
- Provide the security team responsible for protecting industrial control systems with updated information on threats. the new service ICS Threat Intelligence Reporting provides information on current threats and attack vectors, as well as the most vulnerable elements in OT and industrial control systems and how to mitigate them.
Follow all the technological updates on TecheNet through telegram. All the news in real time and without delays!
Other interesting articles:
.
