Schneider Electric snafu shows the need to stay vigilant over supply chain

Energy-management software giant Schneider Electric has alerted customers that they may have received malware-laced USB drives in recent shipments of some of the company's products.

Energy-management software giant Schneider Electric has alerted customers that they may have received malware-laced USB drives in recent shipments of some of the company’s products.

The USB drives contained product documentation and “non-essential software utilities” in support of Schneider Electric’s Conext Combox and Conext Battery Monitor solar-power-related products, the company said in a security advisory dated Aug. 24.

Some USB drives shipped with the products “were contaminated with malware during manufacturing by one of our suppliers,” the advisory states.

The USB drives do not contain operational software and the products’ operational security is therefore unaffected, according to Schneider Electric. “All major anti-malware” scanners can detect and block the malware, the company said.


“Users are strongly encouraged to securely discard any USB removable media provided with these products,” the advisory says. “Users who believe they may have used one of the potentially-affected USB removable media are encouraged to perform a full scan of their system to check for and clean any identified malicious software using any standard anti-malware application program.”

With a presence in more than 100 countries, France-based Schneider Electric is a major global supplier of software used by energy facilities.

“Incidents with removable media are nothing new to industry and provide a solid reminder that we need to remain vigilant about any and all ways that our systems can be compromised,” Marty Edwards, the former head of the Department of Homeland Security’s ICS-CERT, told CyberScoop. He credited Schneider Electric for alerting its customers to the malware so it can be addressed.

Bryan L. Singer, who has years of experience in industrial control systems (ICS) supply-chain security, advised against using USB drives for distributing informational material because the drives can be susceptible to supply-chain compromises. A customer portal hosted by the manufacturer itself, for example, is likely a more secure way of disseminating that information, Singer, CTO of ICS security company Red Trident Inc., told CyberScoop.

While the malware announced by Schneider Electric is apparently easy to detect, other USB security flaws can be much stealthier, making the device a logical target for hackers. One example came in 2014, when researchers showed how a USB exploit could be used to manipulated web cams and keyboards.


In response to several questions CyberScoop sent to Schneider Electric on the malware, a spokesperson declined to comment beyond the security advisory.

ZDNet was first to report on the security advisory.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts