Only a local hacker in a facility would be able to run an attack.
General Electric (GE) has pushed out an update to its industrial control systems following the discovery of vulnerabilities that create a way for hackers to steal SCADA system passwords.
Potential exploits based on the vulnerabilities could be abused to cause process flow disruptions in power stations, utility providers and factories, according to Positive Technologies, the security firm that discovered the flaws.
A spokeswoman for GE Digital played down the vulnerabilities, which she said can’t be exploited remotely. Only a local hacker in a plant or facility would have been in a position to run an attack, she said, adding that there had been no signs of exploitation.
The CVE-2016-9360 vulnerability (CVSS v3 score 6.4) makes it possible for an attacker to have access to legitimate sessions, intercepting user passwords locally. General Electric’s Proficy HMI/SCADA iFIX 5.8 SIM 13, Proficy HMI/SCADA CIMPLICITY 9.0, Proficy Historian 6.0 and their previous versions are vulnerable.
Another flaw makes it possible for an attacker or malware with local access to obtain industrial database passwords. iFIX 5.8 (Build 8255) and previous versions are vulnerable.
A third vulnerability makes it possible for a local attacker to block the authorisation of the application in the realtime database, either causing a failure at reading and recording history or database inoperability. Industrial database Proficy Historian Administrator 220.127.116.11 need updating in response to his flaw.
Positive Technologies also claimed to have discovered a critical fault in a security mechanism of all three systems related to use of standard passwords at network access authorisation. This allows remote access to industrial process control, the security firm warns. GE disputes this saying that the flaws, which were resolved in December, present only a local hack risk.
Proficy HMI/SCADA iFIX needs to be updated to version 5.8 SIM 14, Proficy HMI/SCADA CIMPLICITY to version 9.5, and Proficy Historian to version 7.0.
The vulnerabilities were reported to GE on July 31, 2015. The install base of Proficy product family (CIMPLICITY, iFix, Historian) is in the thousands, and they are deployed across multiple industries.