"We are aware of this security issue," Edwin Schwellinger, support manager at 3S-Smart Software, said Friday via email. "A patch is under development but not released. We are working with high pressure on these issues."
The vulnerability is only exploitable by an attacker who already has access to the network where the PLC runtime operates, Schwellinger said. Runtime systems should not be accessible from the Internet unless additional protection is in place, he said.
"Quite a few vulnerable CoDeSys systems are Internet-exposed," Reid Wightman, who now works as a security consultant for IOActive, said Thursday on Twitter. "Some found via shodan [a search engine], some found via custom scanning."
"No PLC should be accessible from the Internet ever," Santamarta said. However, many networks are compromised via advanced persistent threats -- malware that provides attackers with local network access -- and in those cases the perimeter doesn't matter anymore, he said.
"As much as possible avoid to expose PLCs and PLC networks to public networks and Internet," Schwellinger said. Customers should use additional security layers like virtual private networks (VPNs) for remote access, should install firewalls and should restrict access to sensitive networks only to authorized people, he said.
"Anything related to the SCADA [supervisory control and data acquisition] environment is a serious matter," said Luigi Auriemma, a security researcher at vulnerability research firm ReVuln who previously found and disclosed vulnerabilities in SCADA systems, via email Friday. "If you can control the PLC then you can control the infrastructure."
For example, after infecting PLCs at Iran's Natanz nuclear fuel enrichment plant, the Stuxnet malware altered their programming and destroyed around 1,000 uranium enrichment centrifuges. The attack is believed to have set back Iran's nuclear program by up to two years.
Fortunately, there are some workarounds that vendors can implement in the absence of an official patch.
"The tools do not work on at least one of the vendor's products, who chooses to remain anonymous," Peterson said. "The vendor has a security development lifecycle (SDL) that included threat modeling. They identified the threat of uploading rogue ladder logic and other malicious files, saw that this was not addressed by the CoDeSys runtime, and added a 'security envelope' around the runtime. So basically the user, or attacker, is required to authenticate before he can gain access to the port the CoDeSys runs on."
Meanwhile, users of the affected products can implement network segmentation, access control lists, firewalls and intrusion prevention systems, Santamarta said.