Schneider Electric has issued a security advisory to its customers. The warning covers all versions of its Conext Combox (sku 865-1058) and Conext Battery Monitor (sku 865 1080 01) products. It is saying that a USB drive that shipped with these products may be infected with malware. The infection is believed to have happened during manufacture at a third-party supplier’s facility.
Schneider Electric says that the USB drive does not contain any essential software required to operate the devices. Instead, it contains additional utilities and product documentation. It is likely that most customers will have used the USB drive in order to setup and properly configure the products.
The company has provided links to clean versions of the documents and utilities. Users can now download them direct from the product websites.
Conext Battery Monitor:
The company is telling customers that the malware can be removed using normal endpoint security software. It is not saying what the malware is or the risks to customers.
Another third-party supplier breach
There are several issues here. Schneider Electric put the news out via its security page on the company website. The question is how many customers of the two Conext products check that page regularly? Why did it not email all those customers with registered products? Has its distributors sent out alerts to customers using the products? Why did it not issue a press release to speed up customer awareness?
Putting aside the contacting of customers, there is a much wider issue here. This is yet another breach via a third-party supplier. Few companies own their own supply chain. They have cut costs and often improved efficiency through third-parties. However, this is increasingly an easy attack vector for cybercriminals.
What mechanism did Schneider Electric have to check each batch of USB drives? How often does its security team visit suppliers? What audits does it carry out of supplier cyber security arrangements? Can it be certain that this won’t happen again?
The latter will require an overhaul of Schneider Electric’s partner processes for manufacturing. This is likely to take time and is not a quick fix. However, the fact that it took so long before this was discovered suggests a quality failure. Where software is provided by a third party, quality processes should include a full software security check.
What does this mean
Schneider Electric is not the first and certainly won’t be the last company to be damaged by a third-party supplier. It is increasingly easy for hackers to contaminate software at manufacturing plants. To deal with this, organisations need to do more when they check each batch of products. Many are too focused on the core product manufactured than the security of any software that is shipped with it.
While Schneider Electric says that no core software was affected, the USB drive did contain setup, installation and advanced installation documents and utilities. Customers will have referred to these and that means the USB drives should have been scanned. Simply putting the responsibility back on the customer is not enough. You cannot guarantee that customers will have up to date anti-malware software. Even if they do, that does not give a company carte blanche to not ensure its products are not distributing malware.
When we get answers to our questions from Schneider Electric we will update this story.