Pages

Tuesday, May 19, 2015

Schneider Electric Thanks the Winner of the Positive Hack Days Hacker Contest

Early April, Schneider Electric has released several updates and patches fixing vulnerabilities in the software used for creating SCADA and HMI systems at nuclear power plants, chemical plants and other critical units.

The vulnerabilities which even a novice attacker could exploit were found in InduSoft Web Studio 7.1.3.2, InTouch Machine Edition 2014 7.1.3.2 as well as previous versions of these products. Among bugs fixed — arbitrary code execution and non-encrypted storage/transfer of sensitive data. The vendor recommends downloading the new patches as soon as possible.

Ilya Karpov and Kirill Nesterov, Positive Technologies researchers, detected the vulnerabilities during an ICS security analysis. Meanwhile, many bugs in those products were independently revealed by the participants of the Critical Infrastructure Attack contest held in May 2014  at the international infosec conference Positive Hack Days IV.

Schneider Electric thanked the contest winner, Alisa Shevchenko (Esage Lab), for the vulnerabilities she identified.

The first PHDays contest in analyzing ICS security was held in 2013 when security experts at Positive Technologies laboratory developed a railway model, whose components (trains, railroad crossing gates, and cranes) were controlled by an ICS based on three real SCADA systems and three industrial controllers.

In 2014, the contest infrastructure was significantly changed to allow detection of zero-day vulnerabilities within a wider range of systems and industrial protocols including: transport, city lighting system, power plants and various robots.


In the competition scenario, SCADA systems and controllers are used at critical installations within various industries.  If exploited in a real life situation, these vulnerabilities could have very serious consequences.  According to the responsible disclosure policy, Critical Infrastructure Attack contestants must notify respective vendors about vulnerabilities they detected. Details about the vulnerabilities are available upon the fixes being disclosed by the vendor.

The next ICS security analysis contest will be held at Positive Hack Days V on May 26—27 in Moscow. You can find the details at phdays.com.

7 comments:

  1. The first PHDays contest in analyzing ICS security was held in 2013 when security experts at Positive Technologies laboratory developed a railway model, whose components (trains, railroad crossing gates, and cranes) were controlled by an ICS based on three real SCADA systems and three industrial controllers. Deshaies Electrical Services

    ReplyDelete
  2. williams david Certified ATM HACKERS of the Email Address
    LUCKYTECHATMHACKERS@GMAIL.COM). It’s at it again! Cool way to have
    Financial Freedom!!! Are you tired of living a poor life, and then here is
    the opportunity you have been waiting for. Get the New ATM Blank Card that
    can hack any ATM Machine and withdraw money from any account. You have to
    be smart to make use of this programmed card; you and I know that it’s
    illegal. It has a special feature, that makes the machine unable to detect
    the card, and its transaction is untraceable. You can use it anywhere in
    the world. With this card you can withdraw nothing less than $3,500 in a
    day. So to get the hacker contact via email address:
    LUCKYTECHATMHACKERS@GMAIL.COM]

    ReplyDelete
  3. Hey, congratulation to the winners! I hope there will be soon some new contest, every one from the world is waiting for it. Also check out this article about this contest http://thinksimplenow.com/happiness/how-to-deal-with-criticism/ Keep it up!

    ReplyDelete
  4. Thank you so much for all the wonderful information! I love your work

    Load Cell Suppliers

    ReplyDelete
  5. Thanks for this read mate. Well, this is my first visit to your blog! But I admire the precious time and effort you put into it, especially into interesting articles you share here

    ReplyDelete