|Doc ID :
|Published date :
Binary Planting Security Vulnerability with Wonderware
System Platform used in Foxboro Process Automation Products
July 24, 2015
Schneider Electric is committed to ensuring that our customers and employees are kept current on issues that might affect or improve product, system or process operation. We are dedicated to providing product and application reliability, and exceptional client service.
Customer Advisories are intended to inform you of the possibility of a situation occurring at system installations, and the identified resolution. Schneider-Electric recommends that our customers consider taking action to help prevent occurrence of the identified situation during your production process.
Potential Security Vulnerability:
It is recognized that the global threat environment is constantly changing and we are committed to helping our customers protect the security of their installations. We have reviewed the issue described in this Customer Advisory and determined that, if no action is taken, there is potential security vulnerability that could allow an attacker to compromise the integrity, availability, or confidentiality of a product. We strongly advise customers to take note of the actions recommended, to test such actions or patches on non-production systems as able, prior to deployment into production environments. This approach is recommended in order to minimize risk and exposure to announced vulnerabilities.
Wonderware by Schneider Electric has disclosed a group of cyber security
binary planting vulnerabilities in Wonderware System Platform 2014 R2 and
earlier (see Wonderware Security Bulletin,
LFSEC00000106). Wonderware System Platform is an
integral part of InFusion™ Control Edition, InFusion™ SCADA, Foxboro SCADA,
Foxboro® Control Software (FCS), and Foxboro Evo™ Control Software.
NOTE: Binary Plating is also known as DLL Preloading, DLL Hijacking, and
Insecure Library Loading.
The vulnerabilities, if exploited, could allow malicious code execution and
have been given a rating of "High". There are no known exploits reported at
this time. Schneider Electric recommends that organizations evaluate the impact
of this vulnerability based on their operational environment, architecture, and
ACTIONS OR RESOLUTIONS
Schneider Electric believes that the exploitation of
vulnerabilities, such as binary planting described above, is preventable in an
environment secured using industry standard practices. Schneider Electric
has used cyber-security defenses in the design and implementation of its
product. This - in combination with the client's implementation of best
practices, policies and procedures in accordance with industry standards to
provide a secure environment, restrict and control access to the control
environment - will effectively provide a defensive barrier to vulnerabilities
such as this one. Some of the more important cyber-security defenses and
industry standard, customer implemented best practices are described below:
- Customer implemented best practice: Restricted physical access to the control room or any room
in which Foxboro Process Automation workstations are physically located.
- Customer implemented best practice: Restricted external access to the DCS network either
through a well-configured firewall, a unidirectional security gateway device
such as a data diode, or complete separation of the DCS network from all
external network connections (air gap).
- User Account restrictions implemented via Microsoft Active
Directory and McAfee ePO to limit who has workstation access, along with what
and when they have access to cyber assets such as workstations and servers.
- Restricted access to load malicious software by locking out USB
parts and DVD/CD-ROM drives using the McAfee Data Loss Prevention tool.
- Intrusion detection system (McAfee HIPS) security control to
detect known non-malicious traffic and unauthorized machines (e.g., rogue PC).
- Apply whitelisting and blacklisting techniques to allow only
authorized software to execute while specifically preventing known malicious
software from execution, again implemented using McAfee tools.
By following these implementation and security standards, the possibility of a
malicious binary planting attack is substantially diminished. The
protections listed above effectively restrict external or unauthorized access to
the Foxboro Process Automation systems while still allowing authorized access to
Wonderware System Platform 2014 R2 Patch 01 provides further limits to
exploiting this vulnerability and will be qualified on future releases of
Foxboro Evo and Foxboro SCADA systems.
If you have any questions regarding this article, please contact your local Service Representative or an Schneider Electric Support Center at:
Asia Pacific GCS
||Foxboro MA USA
||+86 21 37180086
||+86 21 37180196
Asia Pacific GCS
Global Customer Support
Distribution to Schneider Electric Customers and Internal Personnel Only
DO NOT REPRODUCE.
All trademarks are registered to their respective owners.
All brand names are property of their respective owners.
Advisory #: 2015038abi
©Schneider Electric. All rights reserved