Schneider Electric EcoStruxure Control Expert, EcoStruxure Process Expert, and Modicon M340, M580 and M580 Safety PLCs

Risk Summary

Schneider Electric is aware of multiple vulnerabilities in its EcoStruxure Control Expert , EcoStruxure Process Expert and Modicon M340, M580 PLCs (Programmable Logic Controllers). Modicon PLCs control and monitor industrial operations. EcoStruxure Control Expert is the common programming, debugging and operating software for Modicon PLCs. EcoStruxure Process Expert DCS is a single automation system to engineer, operate, and maintain an entire plant Infrastructure. Failure to apply the remediations provided below may risk unauthorized access to your PLC, which could result in the possibility of denial of service and loss of confidentiality, integrity of the controller. Note regarding vulnerability details: The severity of vulnerabilities was calculated using the CVSS Base metrics in version 3.1 (CVSS v3.1) without incorporating the Temporal and Environmental metrics. Schneider Electric recommends that customers score the CVSS Environmental metrics, which are specific to end-user organizations, and consider factors such as the presence of mitigations in that environment. Environmental metrics may refine the relative severity posed by the vulnerabilities described in this document within a customer’s environment

CVEs (3)

Remediations

• SV3.60 of Modicon M340 firmware includes a fix for this vulnerability and is available for download here: https://www.se.com/ww/en/product-range/1468- modicon-m340
• SV4.20 of Modicon M580 firmware includes a fix for this vulnerability and is available for download here: https://www.se.com/ww/en/product-range/62098- modicon-m580-epac/ - software-and-firmware
• Version 16.0 of EcoStruxure Control Expert includes a fix for these vulnerabilities and is available for download here: https://www.se.com/ww/en/product-range/548- ecostruxure-control-expert-unity-pro/ Reboot the computer after installation is completed
• Version 15.3 HF008 of EcoStruxure Control Expert includes the fix for these vulnerabilities and are available for download here: https://www.se.com/ww/en/product-range/548- ecostruxure-control-expert-unity-pro/
• Firmware SV4.21 includes a fix for this vulnerability and is available for download here: https://www.se.com/ww/en/product-range/62098-modicon-m580-pac-controller/#software-andfirmware Important: customer needs to use version of EcoStruxure Control Expert v16.0 HF001 minimum to connect with the latest version of M580 CPU Safety. The software is available for download here: https://www.se.com/ww/en/product-range/548-ecostruxure-control-expert-unity-pro/#software-andfirmware
• Setup an application password in the project properties • Setup network segmentation and implement a firewall to block all unauthorized access to port 502/TCP • Configure the Access Control List following the recommendations of the user manuals: “Modicon M340 for Ethernet Communications Modules and Processors User Manual” in chapter “Messaging Configuration Parameters”: https://www.se.com/ww/en/download/document/31007131K01000/ • Setup a secure communication according to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual,” in chapter “Setup secured communications”: https://www.se.com/ww/en/download/document/EIO0000001999/ • Consider use of external firewall devices such as EAGLE40-07 from Belden to establish VPN connections for M340 & M580 architectures. For more details refer to the chapter “How to protect M580 and M340 architectures with EAGLE40 using VPN”: https://www.se.com/ww/en/download/document/EIO0000001999/ • Ensure the M340 CPU is running with the memory protection activated by configuring the input bit to a physical input, for more details refer to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual”, “CPU Memory Protection section”: • https://www.se.com/ww/en/download/document/EIO0000001999/
• Setup an application password in the project properties • Setup network segmentation and implement a firewall to block all unauthorized access to port 502/TCP • Configure the Access Control List following the recommendations of the user manuals: “Modicon M580, Hardware, Reference Manual”: https://www.se.com/ww/en/download/document/EIO0000001578/ Setup a secure communication according to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual,” in chapter “Setup secured communications”: https://www.se.com/ww/en/download/document/EIO0000001999/ • use a BMENOC module and follow the instructions to configure IPSEC feature as described in the guideline “Modicon M580 - BMENOC03.1 Ethernet Communications Schneider Electric Security Notification Module, Installation and Configuration Guide” in the chapter “Configuring IPSEC communications”: https://www.se.com/ww/en/download/document/HRB62665/ OR • Use a BMENUA0100 module and follow the instructions to configure IPSEC feature as described in the chapter “Configuring the BMENUA0100 Cybersecurity Settings”: https://www.se.com/ww/en/download/document/PHA83350 OR • Consider use of external firewall devices such as EAGLE40-07 from Belden to establish VPN connections for M340 & M580 architectures. For more details refer to the chapter “How to protect M580 and M340 architectures with EAGLE40 using VPN”: https://www.se.com/ww/en/download/document/EIO0000001999/ • Ensure the M580 CPU is running with the memory protection activated by configuring the input bit to a physical input, for more details refer to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual”, “CPU Memory Protection section”: https://www.schneiderelectric.com/en/download/document/EIO0000001999/ NOTE: The CPU memory protection cannot be configured with M580 Hot Standby CPUs. In such cases, use IPsec encrypted communication.
• If customers choose not to apply the remediation then they are encouraged to immediately apply the following mitigations to reduce the risk of exploit: • Setup an application password in the project properties • Setup network segmentation and implement a firewall to block all unauthorized access to port 502/TCP • Configure the Access Control List following the recommendations of the user manuals: “Modicon M580, Hardware, Reference Manual”: https://www.se.com/ww/en/download/document/EIO0000001578/ • Setup a secure communication according to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual,” in chapter “Setup secured communications”: https://www.se.com/ww/en/download/document/EIO0000001999/ • use a BMENOC module and follow the instructions to configure IPSEC feature as described in the guideline “Modicon M580 - BMENOC03.1 Ethernet Communications Schneider Electric Security Notification Module, Installation and Configuration Guide” in the chapter “Configuring IPSEC communications”: https://www.se.com/ww/en/download/document/HRB62665/ OR • Use a BMENUA0100 module and follow the instructions to configure IPSEC feature as described in the chapter “Configuring the BMENUA0100 Cybersecurity Settings”: https://www.se.com/ww/en/download/document/PHA83350 OR • Consider use of external firewall devices such as EAGLE40-07 from Belden to establish VPN connections for M340 & M580 architectures. For more details refer to the chapter “How to protect M580 and M340 architectures with EAGLE40 using VPN”: https://www.se.com/ww/en/download/document/EIO0000001999/ • Ensure the M580 CPU is running with the memory protection activated by configuring the input bit to a physical input, for more details refer to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual”, “CPU Memory Protection section”: https://www.schneiderelectric.com/en/download/document/EIO0000001999/ NOTE: The CPU memory protection cannot be configured with M580 Hot Standby CPUs. In such cases, use IPsec encrypted communication. • To further reduce the attack surface on Modicon M580 CPU Safety: Ensure the CPU is running in Safety mode and maintenance input is configured to maintain this Safety mode during operation – refer to the document Modicon M580 - Safety System Planning Guide - in the chapter “Operating Mode Transitions”: https://www.se.com/ww/en/download/document/QGH60283/
• Enable encryption on application project and store application files in secure location with restricted access only for legitimate users. • Schneider Electric recommends using McAfee Application and Change Control software for application control. Refer to the Cybersecurity Application Note available here. • Follow workstation, network and site-hardening guidelines in the Recommended Cybersecurity Best Practices available for download here.
• EcoStruxure Process Expert manages application files within its database in secure way. Do not export & store them outside the application. • Schneider Electric recommends using McAfee Application and Change Control software for application control. Refer to the Cybersecurity Application Note available here. • Follow workstation, network and site-hardening guidelines in the Recommended Cybersecurity Best Practices available for download here.
• Setup an application password in the project properties• Setup network segmentation and implement a firewall to block all unauthorized access to port 502/TCP• Configure the Access Control List following the recommendations of the user manuals:• “Modicon MC80 Programmable Logic Controller (PLC) manual” in the chapter “Access Control List (ACL)”:https://www.se.com/ww/en/download/document/EIO0000002071/Setup a secure communication according to the following guideline “Modicon Controller Systems Cybersecurity, User Guide” in chapter “Set Up Encrypted Communication”:
• Setup an application password in the project properties• Setup network segmentation and implement a firewall to block all unauthorized access to port 502/TCP• Setup a secure communication according to the following guideline “Modicon Controller Systems Cybersecurity, User Guide” in chapter “Set Up Encrypted Communication”:
• Firmware SV2.90 includes a fix for this vulnerability and is available for download here: https://www.se.com/ww/en/product-range/535-modicon-momentum/ Important: customer needs to use version of EcoStruxure Control Expert v16.2 HF003 minimum to connect with the latest version of Modicon Momentum. The software is available for download here: https://www.se.com/ww/en/product-range/548-ecostruxure control-expert-unity-pro/#software-and-firmware
• Schneider Electric is establishing a remediation plan for all future versions of EcoStruxure Process Expert that will include a fix for this vulnerability. We will update this document when the remediation is available. Until then, customers should immediately apply the following mitigations to reduce the risk of exploit: • Setup an application password in the project properties • Setup network segmentation and implement a firewall to block all unauthorized access to port 502/TCP • Configure the Access Control List following the recommendations of the user manuals: “Modicon M580, Hardware, Reference Manual”: https://www.se.com/ww/en/download/document/EIO0000001578/ • Setup a secure communication according to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual,” in chapter “Setup secured communications”: https://www.se.com/ww/en/download/document/EIO0000001999/ • use a BMENOC module and follow the instructions to configure IPSEC feature as described in the guideline “Modicon M580 - BMENOC03.1 Ethernet Communications Schneider Electric Security Notification Module, Installation and Configuration Guide” in the chapter “Configuring IPSEC communications”: https://www.se.com/ww/en/download/document/HRB62665/ OR • Use a BMENUA0100 module and follow the instructions to configure IPSEC feature as described in the chapter “Configuring the BMENUA0100 Cybersecurity Settings”: https://www.se.com/ww/en/download/document/PHA83350 OR • Consider use of external firewall devices such as EAGLE40-07 from Belden to establish VPN connections for M340 & M580 architectures. For more details refer to the chapter “How to protect M580 and M340 architectures with EAGLE40 using VPN”: https://www.se.com/ww/en/download/document/EIO0000001999/ • Ensure the M580 CPU is running with the memory protection activated by configuring the input bit to a physical input, for more details refer to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual”, “CPU Memory Protection section”: https://www.schneiderelectric.com/en/download/document/EIO0000001999/ NOTE: The CPU memory protection cannot be configured with M580 Hot Standby CPUs. In such cases, use IPsec encrypted communication. • To further reduce the attack surface on Modicon M580 CPU Safety: Ensure the CPU is running in Safety mode and maintenance input is configured to maintain this Safety mode during operation – refer to the document Modicon M580 - Safety System Planning Guide - in the chapter “Operating Mode Transitions”: https://www.se.com/ww/en/download/document/QGH60283/

Affected Vendors

Affected Products (13)

Affected Sectors

Critical Manufacturing