PanelShock 0-day Vulnerability Puts Thousands of Schneider Electric HMI Panels, Industrial Control Systems and Critical Infrastructure at Risk

Security researchers at CRITIFENCE cyber security labs publicly announced this morning (November 1, 2016) major cyber security vulnerabilities affecting one of the world’s largest manufacturers of SCADA and Industrial Control Systems, Schneider Electric.

The zero-day vulnerabilities dubbed PanelShock, found earlier this year by Eran Goldstein, CTO and Founder of CRITIFENCE, a leading Critical Infrastructure, SCADA and Industrial Control Systems cyber security firm. The PanelShock vulnerability was uncovered in collaboration with Check Point Software Technologies Ltd. CRITIFENCE released an advisory of the vulnerability.

“PanelShock disclose a new type of vulnerabilities in Schneider Electric’s SCADA Human Machine Interface (HMI) device panels. A low skills attacker can freeze and disconnect an HMI panel devices from the SCADA network remotely by exploiting these vulnerabilities. HMI panel devices allows operators and process engineers to monitor and control manufacture processes and field equipment, such as valves, pumps, engines, turbines, centrifuges and more.” says Eran Goldstein.

Schneider Electric are among the most common SCADA vendors in North America, Europe and worldwide. The vendor’s products are used in nearly every modern automated factory or processing plant. The vulnerabilities affects all firmware versions of Schneider Electric Magelis Advanced HMI Panel series including:

• Magelis GTO Advanced Optimum panels
• Magelis GTU Universal panel
• Magelis STO & STU Small panels
• Magelis XBT GH Advanced hand-held Panel
• Magelis XBT GK Advanced Touchscreen Panels with Keyboard
• Magelis XBT GT Advanced Touchscreen Panels
• Magelis XBT GTW Advanced Open Touchscreen Panels (Windows XPe)

PanelShock vulnerabilities, CVE-2016-8367 (SVE-82003201) and CVE-2016-8374 (SVE-82003202) disclosed improper implementation of different HTTP request methods and improper implementation of resource consumption management mechanism, in the Web Gate web service of Magelis Advanced HMI panel’s series. By exploiting the PanelShock vulnerabilities, a malicious attacker can “freeze” the panel remotely and disconnect the HMI panel device from the SCADA network and prevent the panel from communicating with PLCs and other devices, which can cause the supervisor or operator to perform wrong actions, which may further damage the factory or plant operations.

“Use of HMIs which are connecting to field installed PLCs must operate very reliable as the service engineer relies on the display for setting the operation parameters of PLCs which control the process. A security vulnerability in these devices might lead to a compound attack which can mask the view of on-site supervisors. During a malicious sabotage on the control system, the authorized and trained service person may perform a critical mistake and disruption of the control process”, says Daniel Ehrenreich, SCCE, SCADA-Cyber consultant, and trainer.

In addition, by exploiting the vulnerabilities the attacker can also trigger an unwanted behavior of the Harmony XVGU Tower Light device connected to the HMI Panel, such as starting an alarm or flashing red lights.   As a result of the PanelShock attack, the target Schneider Electric Magelis GTO HMI has lost its network connectivity and requires a physical reboot to recover.

Proof of Concept (PoC) video of PanelShock Attack can be viewed here:  https://youtu.be/Ehzs0mlMtbc

“Cyber security vulnerabilities commonly survive much longer in SCADA and Industrial Control Systems than in typical IT Networks”, says Eran Goldstein, CTO and Founder of CRITIFENCE. “In most scenarios SCADA and ICS hardware installed on client’s facilities are used as part of a production environment. In many cases, the hardware is installed in harsh environments and hard to reach places. This results in a much lower physical availability than any other network device. In addition, since these devices are in a production environment, disabling the device for a software update could cause much larger scale complications. Another important reason is that managers of such plants and facilities do not like tampering with devices if it’s working without any issues, as the saying goes – if it works, don’t touch it. So in many occasions, security managers would rather isolate the SCADA and ICS networks, and hardening the networks leading to that environment, than tampering with the actual devices”.

Following a disclosure, Schneider Electric have confirmed that the Magelis HMI Series products are vulnerable to the findings presented by CRITIFENCE and released an Important Security Bulletin (SEVD-2016-302-01) Once acknowledged the existence of the vulnerability, CRITIFENCE with a support from ICS-CERT (Department of Homeland Security, DHS) worked in collaboration with Schneider Electric to mitigate and remediate the vulnerabilities in order to create a security updates for all Schneider Electric Magelis Advanced HMI Panel series. ICS-CERT released an Advisory and Alert for PanelShock vulnerabilities. Schneider Electric are already working on a software update for the affected types of HMI panels.

For more information: Important Security Bulletin (SEVD-2016-302-01)

The major issue of a remediation process in Critical Infrastructure, SCADA systems, and OT Networks is not just to create the specific security patch or firmware update that will mitigate a cyber security zero-day vulnerability. “Fixing a vulnerable SCADA equipment such HMI or PLC require installing a software patch in most cases or in some situations even to reinstall the firmware on the affected hardware. This process might cause downtime of the system and require coordination of few teams/factors as well with a scheduled maintenance windows which are hardly allowed in SCADA systems” says Alexey Baltacov, Advisory Board Member at CRITIFENCE.

As part of the disclosure CRITIFENCE Critical Infrastructure and SCADA/ICS Cyber Threats Research Group have released a free tool to active check specifically for PanelShock vulnerabilities – CRITIFENCE PanelShockVCT (Vulnerability Check Tool) that can be downloaded here: http://www.critifence.com/vct/panel_shock

“The vast majority of SCADA and ICS devices are based on legacy hardware components, so many devices succumb to vulnerabilities that could be handled easily by more robust hardware. Feeble CPU’s, low memory hardware and outdated operating systems are not uncommon in the field of SCADA and ICS. Yet not many security researchers have access to this kind of devices. While anyone at home can download a web server software and try to find vulnerabilities, not that many people overall have access to a PLC which is not part of a production environment. The elevated security of many common network components is partly a result of the vendors’ work, and partly a result of self-assigned security researchers that find vulnerabilities. Since there’s a low exposure to SCADA and ICS devices to security researchers, the security level relies exclusively on vendors’ efforts”. Says Eyal Benderski, Manager of the Critical Infrastructure and SCADA/ICS Cyber Threats Research Group at CRITIFENCE.

About the Authors

CRITIFENCE is a leading Critical Infrastructure, SCADA and Industrial Control Systems cyber security firm.

The company developed and provides SCADAGate+ unique passive cyber security technology and solutions designed for Critical Infrastructure, SCADA and Industrial Control Systems visibility and vulnerability assessment,  which allow to monitor, control and to analyze OT network cyber security events and vulnerabilities easily and entirely passively. CRITIFENCE development team and Critical Infrastructure and SCADA/ICS Cyber Threats Research Group combined from top experienced SCADA and cyber security experts and researchers of the IDF’s Technology & Intelligence Unit 8200 (Israel’s NSA).

For more information about CRITIFENCE refer to: http://www.critifence.com

Pierluigi Paganini

(Security Affairs – Schneider Electric HMI, zero-day)