Encryption Vulnerabilities Allow Hackers to Take Control of Schneider Electric PLCs

Schneider Electric this week released advisories for vulnerabilities impacting various products, including flaws that can be exploited to take control of Modicon M221 programmable logic controllers (PLCs).

A total of four vulnerabilities were discovered in Modicon M221 PLCs by researchers at industrial cybersecurity firm Claroty. Three of them were identified independently by employees of cybersecurity company Trustwave. Both Trustwave and Claroty have published blog posts detailing their findings.

The security holes, three of which have been rated high severity by Schneider, are related to encryption and authentication. The French industrial giant has shared some recommendations that customers can implement to reduce the risk of attacks.

Karl Sigler, senior threat intelligence manager at  Trustwave, told SecurityWeek that an attacker needs to have a foothold on the OT network in order to exploit any of the vulnerabilities.

“By bypassing authentication protections and having direct access to manipulate the PLC, an attacker could take over complete control of the PLC actions, which could be catastrophic depending what type of OT environment the PLC is deployed,” Sigler explained. “This could potentially lead to complete failure of the control systems or hazardous situations where the safety of the systems is compromised.”

Yehuda Anikster, senior researcher at Claroty, told SecurityWeek that exploitation of the vulnerabilities requires capturing traffic between the EcoStruxure Machine engineering software and the targeted PLC.

“The attackers would then need to wait for an engineer or technician to connect and enter a password or perform download/upload operations to the M221 using the engineering software,” Anikster said. “At this stage, the attackers have all they need and can now extract the encryption key from the captured network traffic in order to decrypt the read/write passwords from the traffic.”

“After the attackers have obtained the read/write passwords, they can do anything they wish to the M221 PLC as if they were the engineers themselves. This includes uploading the M221’s program, downloading (and overwriting) a program to the M221, changing the read/write passwords, stopping/starting the M221, and more,” the researcher added. “For example, attackers can extract all the code running on the M221s, stealing the company’s control process logic. Another potential scenario is of attackers deleting all the code and changing all passwords on the M221s, blocking all access to the devices and rendering the PLCs unusable in a denial-of-service attack. Furthermore, sly attackers could perform a Stuxnet-like attack and slightly change the code on the M221s to wreak havoc on the company’s devices.”

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Schneider Electric also informed customers this week of critical and high-severity vulnerabilities affecting its PLC Simulator product, including ones that can be exploited for arbitrary command execution and DoS attacks.

It also warned of a critical flaw in the Easergy T300 RTU, which can allow command execution and DoS attacks, and several high-severity remote code execution vulnerabilities affecting the Interactive Graphical SCADA System (IGSS) product.

The vendor also advised customers to apply defense-in-depth measures to protect Q Data Radio and J Data Radio devices against Drovorub, a Russia-linked malware that was recently detailed by the NSA and the FBI.

Related: Another Stuxnet-Style Vulnerability Found in Schneider Electric Software

Related: Schneider Electric Patches Vulnerabilities in Modicon, EcoStruxure Products