Positive Technologies works with GE to highlight vulnerability that could allow interception of passwords used at power stations, water facilities, and factories

Updates are necessary to protect GE SCADA systems and real-time databases from vulnerabilities that attackers could exploit to disrupt utilities and factory operations.

Positive Technologies today announced it has found vulnerabilities in GE software designed for automation equipment in power, water, oil and gas, food, automobile, construction, and other industries. If not patched, the vulnerabilities, which involve possible interception and abuse of passwords, could be exploited to disrupt operations at thousands of plants around the world.

Vulnerability CVE-2016-9360, with CVSS v3 score 6.4, makes it possible for an attacker to access legitimate sessions and intercept user passwords locally. General Electric products Proficy HMI/SCADA iFIX 5.8 SIM 13, Proficy HMI/SCADA CIMPLICITY 9.0, Proficy Historian 6.0, and their previous versions are vulnerable.

Another flaw makes it possible for an attacker or malware with local access to obtain industrial database passwords, after a few tweaks. iFIX 5.8 (Build 8255) and previous builds are exposed to this defect.

In the third vulnerability found by Positive Technologies, the Proficy Historian Administrator industrial database makes it possible for a local attacker to block authorization of the application in the real-time database. Such a block would cause either a failure in the read/write history or inoperability of the database. In addition, Positive Technologies discovered a critical fault in a security mechanism used by all three systems related to use of non-unique passwords for network access authorization. This fault allows remote access to control of industrial processes.

A motivated attacker could use these vulnerabilities to change factory and utility processes, damage and break equipment, and cause economic losses and large-scale service outages.

To eliminate the vulnerabilities, Proficy HMI/SCADA iFIX needs to be updated to version 5.8 SIM 14, Proficy HMI/SCADA CIMPLICITY to version 9.5, and Proficy Historian to version 7.0.

“Any time when user passwords are available in clear text, this may result in an attacker taking control of the SCADA system,” said Ilya Karpov, Head of the ICS Research and Audit Unit at Positive Technologies. “And when non-unique passwords are used for authorization, attackers can affect process operations, causing not only interruptions but also equipment damage or breakdown. If an attacker or malware obtains a password to a database, they can illegitimately modify it, creating various emergencies and deleting the history data that is critical for finding the perpetrator.”

Positive Technologies develops a number of products, customized for industrial protocols, to detect vulnerabilities and cyberincidents on SCADA systems.