Microsoft finds vulnerabilities it says could be used to shut down power plants
Exploitation is hard and patches are already out, but the potential risk is great.

Microsoft on Friday disclosed 15 high-severity vulnerabilities in a widely used collection of tools used to program operational devices inside industrial facilities such as plants for power generation, factory automation, energy automation, and process automation. The company warned that while exploiting the code-execution and denial-of-service vulnerabilities was difficult, it enabled threat actors to “inflict great damage on targets."

The vulnerabilities affect the CODESYS V3 software development kit. Developers inside companies such as Schneider Electric and WAGO use the platform-independent tools to develop programmable logic controllers, the toaster-sized devices that open and close valves, turn rotors, and control various other physical devices in industrial facilities worldwide. Specifically, the SDK allows developers to make PLCs compatible with IEC 611131-3, an international standard that defines programming languages that are safe to use in industrial environments. Examples of devices that use CODESYS V3 include Schneider Electric’s Modicon TM251 and the WAGO PFC200.