20 May 2022

KLCERT-21-007: Schneider Electric EcoStruxure Control Expert / Process Expert, SCADAPack RemoteConnect for x70. Information leak from project file

Timeline

Timeline

  • Kaspersky ICS CERT advisory published

    20 May 2022

  • Advisory published

    July 2021


Exploitability

Local

Attack complexity

Low

User interaction

None

Impact

Successful exploitation of this vulnerability could allow an attacker to read sensitive data from project files, such as network and process information, credentials, or intellectual property.

Affected products

The following Schneider Electric products:

  • EcoStruxure™ Control Expert, all versions prior to V15.0 SP1, including all versions of Unity Pro (former name of EcoStruxure™ Control Expert)
  • EcoStruxure™ Process Expert, all versions prior to V2021 Including all versions of EcoStruxure™ Hybrid DCS (former name of EcoStruxure™ Process Expert)
  • SCADAPack RemoteConnect™ for x70, all versions

Mitigation

EcoStruxure™ Control Expert versions prior to V15.1, including all versions of Unity Pro (former name of EcoStruxure™ Control Expert):

  • Update EcoStruxure™ Control Expert to V15.1
  • The fix is provided through an additional feature, “file encryption”. For further information on the feature and on setting it up please refer to the chapter “file encryption” of the help file available in EcoStruxure™ Control Expert v15.0 SP1
  • This feature is proposed by default when creating a new project
  • The feature is also available after selecting “project” in structural view, in the “Edit / Properties / Project & Controller Protection” menu
  • For new projects:
    • It is recommended that customers apply this feature to all new projects
  • For existing projects:
    • It is recommended that customers apply this feature to existing projects coming from trusted sources. It should be kept in mind that for .sta project files, project modification should be done in connected mode to prevent desynchronization and keep the controller in the RUN state
  • A security level specific to the Derived Function Blocks (DFB) can be configured in addition to the file encryption feature. Please refer to chapter “How to protect a DFB type” in the EcoStruxure™ Control Expert help file for further information
  • It is recommended that customers share project files only when configured with the encryption feature described above.
  • It is strongly recommended that customers using Unity Pro consider migrating to EcoStruxure™ Control Expert. Please contact your local Schneider Electric technical support for more information
  • Store project files in a secure storage and restrict access to trusted users only
  • When exchanging files over the network, use secure communication protocols
  • Encrypt project files when stored
  • Only open project files received from trusted sources
  • Compute a hash of each project file and regularly check the consistency of this hash to verify the integrity before usage
  • Harden the workstation running EcoStruxure™ Control Expert or Unity Pro

EcoStruxure™ Process Expert versions prior to V2021, including all versions of EcoStruxure™ Hybrid DCS (former name of EcoStruxure™ Process Expert):

  • Update EcoStruxure™ Process Expert to V2021
  • Refer to instructions provided for EcoStruxure™ Control Expert
  • Store project files in a secure storage and restrict access to trusted users only
  • When exchanging files over the network, use secure communication protocols
  • Encrypt project files when stored
  • Only open project files received from trusted sources
  • Compute a hash of each project file and regularly check the consistency of this hash to verify the integrity before usage
  • Harden the workstation running EcoStruxure™ Process Expert

SCADAPack RemoteConnect, all versions:

Schneider Electric is establishing a remediation plan for future versions that will include additional fixes for this vulnerability.

  • Store project files in a secure storage and restrict access to trusted users only
  • When exchanging files over the network, use secure communication protocols
  • Encrypt project files when stored
  • Only open project files received from trusted source
  • Compute a hash of each project file and regularly check the consistency of this hash to verify the integrity before usage
  • Harden the workstation running SCADAPack RemoteConnect™

General Security Recommendations

Schneider Electric strongly recommends the following industrial cybersecurity best practices:

  • Ensure that cybersecurity features in Schneider Electric solutions are always enabled
  • Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network
  • Install physical controls to ensure that no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks
  • Place all controllers in locked cabinets and, when applicable, do not leave them in “Program” mode
  • Never connect programming software and engineering workstations to any network other than the network for which it is intended
  • ICS networks should be appropriately partitioned and should not be directly connected to business networks or the internet
  • Scan all media used for mobile data exchange with an isolated network, such as CDs, USB drives, etc., before using them in terminals or any node connected to these networks
  • Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation
  • Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the internet

When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees with respect to information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.

Timeline

  • Kaspersky ICS CERT advisory published

    20 May 2022

  • Advisory published

    July 2021