A security vulnerability has been uncovered in Schneider Electric ION and PowerLogic power meters that could potentially allow attackers to intercept user credentials and make unauthorized changes to configuration settings or firmware. The vulnerability, which has been given a CVSS vulnerability-severity rating of 8.8 out of 10, lies in the fact that the power meters transmit user IDs and passwords in plaintext with every message.
The implications of this vulnerability are significant. An attacker with passive interception capabilities would be able to obtain these credentials and gain access to the ION/TCP engineering interface, SSH, and HTTP interfaces. This access could potentially allow them to manipulate smart meter switches, causing load oscillations that could lead to shutdowns. In extreme cases, if a domino effect were to occur, this could result in a blackout.
Daniel dos Santos, head of security research at Forescout, emphasized that it is no longer acceptable for operational technology (OT) products to transmit credentials in plaintext. This vulnerability highlights the need for better security measures in OT systems. dos Santos pointed out that anyone with access to the network and the ability to sniff traffic can easily obtain these credentials, posing a significant risk.
The vulnerability in Schneider Electric’s power meters was disclosed as part of Forescout’s Icefall OT research. In addition to this vulnerability, Forescout also announced two denial-of-service (DoS) vulnerabilities in WAGO 740 controllers, which have a severity rating of 4.9. These vulnerabilities were revealed at Infosecurity Europe, an event held in London.
Schneider Electric acknowledged the vulnerability in its advisory and explained that the ION Protocol, which was created over 30 years ago, was enhanced with authentication support as cybersecurity became a concern. However, as is often the case with legacy code, security holes still exist. dos Santos mentioned that the vulnerability was originally intended to be part of a bundle of 56 OT flaws released in June 2022 but was delayed due to patching processes.
Schneider Electric has since addressed the vulnerability and released a secure version of the protocol that encrypts the credentials, ensuring they are no longer transmitted in plaintext. This step highlights the company’s commitment to addressing security concerns brought to their attention.
This incident underscores the ongoing lack of security-by-design in OT systems. The Forescout research highlighted recurring design issues that demonstrate a fundamental misunderstanding of basic security control design among OT vendors. These include plaintext and/or hardcoded credentials, client-side authentication, stateful control on stateless protocols, missing critical steps in authentication, broken algorithms, and faulty implementations.
Forescout used the disclosure of these vulnerabilities to call on vendors to improve their security testing procedures. They emphasized that products and protocols must remain backward compatible with legacy designs. Some vendors face challenges regarding backward compatibility since older product lines with hardcoded credentials and insecure delivery methods are still in use. While these products were originally designed insecurely due to a lack of security concerns at the time, the need to maintain backward compatibility for products with a lifespan of 20 to 30 years poses challenges for vendors.
The discovery of this vulnerability provides a significant opportunity for the industry to reevaluate and prioritize the security of OT systems. It serves as a reminder that security measures must be a core consideration in the design and development of these systems. By addressing the recurring security issues identified by Forescout and implementing robust security measures, vendors can help mitigate risks and ensure the integrity and reliability of OT systems in the future.