Stuxnet and Vulnerabilities In Schneider Triconex SIS Controllers

Overview

As the NSA urges companies to secure their industrial networks, two vulnerabilities were found in Schneider Electric Triconex SIS devices. Both of the vulnerabilities reside within the Tricon Communication Module (TCM) which connects the Triconex SIS to Ethernet networks. The first vulnerability (CVE-2020-7486) is a Denial of Service attack that causes the TCM to enter a fault state, and the latter (CVE-2020-7491), a more serious one, is a legacy debug port exposed to the network, that allows attackers to get root style privileges on the TCM, and upload malicious firmware to it.

While the vulnerabilities themselves are severe, exploiting them will not directly impact the SIS operation. In case of a failure in a plant, SIS operations will work normally. 

Most SIS devices use the key switch methodology, where a physical switch controls the state of the SIS. When the SIS is operating normally, this switch should be in the ‘Run’ state. In order to harm the SIS from the TCM by uploading malicious code to it, the SIS key switch must first be physically changed to ‘Program’ or ‘Remote’.

Hiding Malicious Activity, As Seen In Stuxnet

Leveraging CVE-2020-7491, an attacker can write its own firmware to the TCM. Because the TCM resides between the SIS and the OT Ethernet network, malicious code installed on it TCM can be used to hide or modify activity sent or received by the SIS.

SIS HMIs are usually connected to the Ethernet network. These HMIs can be fed incorrect information from the TCM module, causing fake SIS data to be displayed in the HMI. 

Moreover, the TCM could hide the malicious code blocks from the programming software, rendering it undetected from engineers. 

Similar practices have been seen in the past in the Stuxnet campaign, hooking network code to hide malicious activity. A rootkit was installed on PCs with engineering software and a part of its operation was to hide the infected PLC code blocks from being seen in the programming software.
Moreover, Stuxnet prevented operators from noticing its set of instructions sent to peripheral devices (centrifuges, etc) by hiding those instructions from the process image output. These monitoring and HMIs devices were fed incorrect information showing that the PLCs are functioning normally, and no out of the ordinary instructions were sent to them.

Mitigation Recommendations

1. There are countless vulnerabilities in industrial equipment, and more vulnerabilities are discovered every day. A safety net in the form of a passive, industrial network traffic monitoring system (such as the SCADAfence Platform), will be able to slow down all attacks, enabling you to respond, and will detect most attack vectors. Such products increase the cost of an attack, in a way that makes the attack irrelevant for most attackers. See our webinar on Efficient Industrial Cyber Security Programs for more information.
2. Update the TCM modules using the latest firmware from Schneider Electric. Updates can be found in the official advisory - Legacy Triconex  Product Vulnerabilities
3. Make sure SIS devices are behind a firewall and only communicating in ports they should communicate in. Both vulnerabilities were found in undocumented services communicating on non standard ports.