Similarities Between Stuxnet And Latest Vulnerabilities Found In Schneider Triconex SIS Controllers

 

Overview

As the NSA urges companies to secure their industrial networks, two vulnerabilities were found in Schneider Electric Triconex SIS devices. Both of the vulnerabilities reside within the Tricon Communication Module (TCM) which connects the Triconex SIS to Ethernet networks. The first vulnerability (CVE-2020-7486) is a Denial of Service attack that causes the TCM to enter a fault state, and the latter (CVE-2020-7491), a more serious one, is a legacy debug port exposed to the network, that allows attackers to get root style privileges on the TCM, and upload malicious firmware to it.

While the vulnerabilities themselves are severe, exploiting them will not directly impact the SIS operation. In case of a failure in a plant, SIS operations will work normally. 

Most SIS devices use the key switch methodology, where a physical switch controls the state of the SIS. When the SIS is operating normally, this switch should be in the ‘Run’ state. In order to harm the SIS from the TCM by uploading malicious code to it, the SIS key switch must first be physically changed to ‘Program’ or ‘Remote’.

 

Hiding Malicious Activity, As Seen In Stuxnet

Leveraging CVE-2020-7491, an attacker can write its own firmware to the TCM. Because the TCM resides between the SIS and the OT Ethernet network, malicious code installed on it TCM can be used to hide or modify activity sent or received by the SIS.

SIS HMIs are usually connected to the Ethernet network. These HMIs can be fed incorrect information from the TCM module, causing fake SIS data to be displayed in the HMI. 

Moreover, the TCM could hide the malicious code blocks from the programming software, rendering it undetected from engineers. 

Similar practices have been seen in the past in the Stuxnet campaign, hooking network code to hide malicious activity. A rootkit was installed on PCs with engineering software and a part of its operation was to hide the infected PLC code blocks from being seen in the programming software.
Moreover, Stuxnet prevented operators from noticing its set of instructions sent to peripheral devices (centrifuges, etc) by hiding those instructions from the process image output. These monitoring and HMIs devices were fed incorrect information showing that the PLCs are functioning normally, and no out of the ordinary instructions were sent to them.

 

Mitigation Recommendations

  1. There are countless vulnerabilities in industrial equipment, and more vulnerabilities are discovered every day. A safety net in the form of a passive, industrial network traffic monitoring system (such as the SCADAfence Platform), will be able to slow down all attacks, enabling you to respond, and will detect most attack vectors. Such products increase the cost of an attack, in a way that makes the attack irrelevant for most attackers. See our webinar on Efficient Industrial Cyber Security Programs for more information.
  2. Update the TCM modules using the latest firmware from Schneider Electric. Updates can be found in the official advisory – Legacy Triconex  Product Vulnerabilities
  3. Make sure SIS devices are behind a firewall and only communicating in ports they should communicate in. Both vulnerabilities were found in undocumented services communicating on non standard ports.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About SCADAfence
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.