When people talk about IoT – Internet of Things – these days, they are thinking of Amazon Alexa or Phillips Vue lightbulbs, but where IoT started was in factories and warehouses, decades ago.
Industrial automation or IIoT is still where the biggest in IoT attacks lies.
Today we learned about a critical remote code execution bug in Schneider Electric’s programmable logic controllers or PLCs.
The bug would allow an attacker to get ROOT level access to these controllers and have full control over the devices.
These PLCs are used in manufacturing, building automation, healthcare and many other places.
If exploited, the hackers could shut down production lines, elevators, heating and air conditioning systems and other automation.
The good news, if there is any, is that the attacker would need to gain access to the network first. That could mean an insider attack, a physical infiltration or something simple like really bad remote access security like that water plant in Florida. That means that you probably should not count on this extra level of hardness to protect the millions of systems that use Modicon controllers.
Schneider Electric has released some “mitigations” but has not released a patch yet.
The bug is rated 9.8 out of 10 for badness.
What is really concerning is that Schneider released patches for dozens of bugs today.
Given that IIoT users almost never install patches, this “patch release” doesn’t make me feel much better.
But it appears that the velocity of IIoT bug disclosures and patches is dramatically increasing. Given that, factory and other IIoT owners have to choose between two uncomfortable choices – don’t patch and risk getting hacked or patch and deal with the downtime. They are not going to like either choice, but they are going to have to choose.
My guess is that they are going to choose not to patch and we are going to see a meltdown somewhere that is going to be somewhat uncomfortable for the owner. An example of past similar events is the Russians blowing up a Ukrainian oil pipeline a few years ago. In the middle of winter. When the temperature was below zero.