Major Vulnerabilities Found in Human Machine Interface
By David Silva on December 6, 2024
Executive Summary
Several vulnerabilities have been identified with a product from mySCADA called myPRO. myPro is a human-machine interface (HMI) used to control and track industrial systems across many sectors. Two of the vulnerabilities were rated a common vulnerability scoring system (CVSS) rating of 10.0 with the other three being rated at 9.8, 7.5, and 8.1 respectively. The vulnerabilities were discovered by an independent researcher names Micheal Heinzl who reported the vulnerabilities to the Cybersecurity and Infrastructure Security Agency (CISA). CISA notified mySCADA which in turn released a patch soon after to address the vulnerabilities. [3] Organizations using myPRO should update to the most current version if possible. If updating myPRO is not possible organizations should implement additional security measures and ensure the HMI is not internet facing to maintain a secure environment.
Background
mySCADA is a company based in the Czech Republic that produces a variety of supervisory control and data acquisition (SCADA) products. myPro can be used on many operating systems including Windows, Linux, and macOS. According to mySCADA, myPro is easy to use and provides an intuitive user interface while optimizing processes and therefore production. [4]
According to Inductive Automation, “A HMI is a user interface or dashboard that connects to a machine, system, or device. While the term can technically be applied to any screen that allows a user to interact with a device, HMI is most commonly used in the context of an industrial process.” [2] In this case myPRO is not a device itself, but software that aggregates data across the many industrial devices which may make up an Industrial Control System (ICS). myPRO also detects irregularities and notifies the user so they can adjust devices as needed. [4]
Vulnerabilities
The vulnerabilities found in myPRO include (i) improper neutralization of special elements used in an OS command (‘OS command injection’), (ii) another improper neutralization of special elements used in an OS command (‘OS command injection), (iii) improper authentication, (iv) missing authentication, and (v) path traversal. [1]
One of the improper neutralizations of special elements used in an OS command is due to improper input validation when input is fed to a parameter allowing an attacker to inject operating system commands. The other improper neutralization of special elements used in an OS command is due to a parameter within a command which could be manipulated to inject operating system commands. myPRO also does not use a strong enough method to verify the validity of authentication requests which is the cause for the improper authentication. There is also a problem with no authentication being present on a TCP port which the interface listens on by default, allowing anyone to connect to the port without properly identifying them, which accounts for the missing authentication for critical function. Lastly, attackers could potentially extract files from the system due to a filename parameter which the user can manipulate to perform a path traversal attack.
Conclusion
HMIs are an important component of any ICS and are used throughout the industry to better monitor and manage systems. Researchers working together with organizations producing these solutions, and cyber security organizations like CISA are important to ensure these vulnerabilities are addressed. Organizations must do their best to regularly check for advisories and make sure to address known vulnerabilities especially when they are severe. Other manufacturers should also learn from mySCADA and put in place a process to address known vulnerabilities as quickly as possible to minimize any successful attacks against their customer base and maintain a good standing within the industry.
References
- Cybersecurity and Infrastructure Security Agency. (2024). mySCADA myPRO Manager. Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/news-events/ics-advisories/icsa-24-326-07
- HMI: Human-Machine Interface. (2018). HMI: Human-Machine Interface. Inductive Automation. http://inductiveautomation.com/resources/article/what-is-hmi
- Kovacs, E. (2024). Vulnerabilities Expose mySCADA myPRO Systems to Remote Hacking. SecurityWeek. https://www.securityweek.com/vulnerabilities-expose-myscada-mypro-systems-to-remote-hacking/
- mySCADA Technologies. (n.d.). mySCADA Pro Web SCADA Runtime. mySCADA Technologies. https://www.myscada.org/mypro/
-
New Cybersecurity Regulations Pose Major Shifts for ICS Operators
New Cybersecurity Regulations Pose Major Shifts for ICS Operators
4/4/2025 -
New Threats in Familiar Code: Open-Source Risks in ICS
New Threats in Familiar Code: Open-Source Risks in ICS
4/4/2025 -
The MOVEit Data Breach: Understanding the Risks and Mitigation Strategies
The MOVEit Data Breach: Understanding the Risks and Mitigation Strategies
3/14/2025