As the NSA urges companies to secure their industrial networks, two vulnerabilities were found in Schneider Electric Triconex SIS devices. Both of the vulnerabilities reside within the Tricon Communication Module (TCM) which connects the Triconex SIS to Ethernet networks. The first vulnerability (CVE-2020-7486) is a Denial of Service attack that causes the TCM to enter a fault state, and the latter (CVE-2020-7491), a more serious one, is a legacy debug port exposed to the network, that allows attackers to get root style privileges on the TCM, and upload malicious firmware to it.
While the vulnerabilities themselves are severe, exploiting them will not directly impact the SIS operation. In case of a failure in a plant, SIS operations will work normally.
Most SIS devices use the key switch methodology, where a physical switch controls the state of the SIS. When the SIS is operating normally, this switch should be in the ‘Run’ state. In order to harm the SIS from the TCM by uploading malicious code to it, the SIS key switch must first be physically changed to ‘Program’ or ‘Remote’.
Leveraging CVE-2020-7491, an attacker can write its own firmware to the TCM. Because the TCM resides between the SIS and the OT Ethernet network, malicious code installed on it TCM can be used to hide or modify activity sent or received by the SIS.
SIS HMIs are usually connected to the Ethernet network. These HMIs can be fed incorrect information from the TCM module, causing fake SIS data to be displayed in the HMI.
Moreover, the TCM could hide the malicious code blocks from the programming software, rendering it undetected from engineers.
Similar practices have been seen in the past in the Stuxnet campaign, hooking network code to hide malicious activity. A rootkit was installed on PCs with engineering software and a part of its operation was to hide the infected PLC code blocks from being seen in the programming software.
Moreover, Stuxnet prevented operators from noticing its set of instructions sent to peripheral devices (centrifuges, etc) by hiding those instructions from the process image output. These monitoring and HMIs devices were fed incorrect information showing that the PLCs are functioning normally, and no out of the ordinary instructions were sent to them.