Schneider Electric Triconex Tricon

Act Now9ICS-CERT ICSA-18-107-02Apr 17, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Schneider Electric Triconex Tricon MP Model 3008 (firmware versions 10.0–10.4) contains vulnerabilities that could allow arbitrary code execution and compromise of safety instrumented systems. The HatMan malware exploits these vulnerabilities to alter process parameters, disable safety functions, or shut down operations. Exploitation requires unrestricted network access to the safety network and physical access to set the Tricon key switch to "PROGRAM" mode. Schneider Electric recommends upgrading to Tricon CX v11.4 or later, which includes IEC 62443 compliance and enhanced security controls. For detection and remediation, users should contact Schneider Electric support to analyze systems for malware presence.

What this means

What could happen

An attacker could upload malicious code to the Tricon safety controller, allowing them to alter process setpoints, disable safety interlocks, or shut down critical operations. This directly compromises the safety instrumented system that protects personnel and equipment.

Who's at risk

Safety engineers and operators at water utilities and electric utilities that depend on Triconex Tricon MP Model 3008 safety systems for critical interlocks, pressure relief, or shutdown functions. Any organization using Triconex controllers for emergency stop systems, safety-critical process control, or personnel protection.

How it could be exploited

An attacker gains unrestricted access to the safety network (via compromised engineering workstation, plant network, or physical access to controllers). They then connect to the Tricon controller when the key switch is in "PROGRAM" mode and upload malicious firmware. The malware persists and executes arbitrary commands on the safety system.

Prerequisites

Unrestricted network access to the Tricon safety network
Physical access to the Tricon controller or an engineering workstation on the safety network
Tricon key switch set to PROGRAM mode (attacker can set this if physical access is available)
No air gap or network segmentation between attacker and safety network

Remotely exploitable over safety networkAffects safety systems directlyArbitrary code execution capabilityHigh CVSS score (9.0)No patch available for MP Model 3008 firmware 10.0–10.4Complex attack (requires PROGRAM mode access), but feasible with physical or network access

Exploitability

Low exploit probability (EPSS 0.8%)

Affected products (1)

ProductAffected VersionsFix Status

MP Model 3008: >= 10.0 | <= 10.4≥ 10.0 | ≤ 10.4No fix (EOL)

Remediation & Mitigation

0/8

Do now

0/7

HOTFIXContact Schneider Electric support to perform malware detection and analysis on all Tricon systems; request HatMan detection and removal if malware is found

HARDENINGEnsure Tricon key switch is never left in PROGRAM mode; configure operator station alarms to alert when PROGRAM mode is active

HARDENINGIsolate all Triconex safety networks from plant LAN and Internet; place controllers behind firewall with restricted access

HARDENINGEnsure all TriStation engineering workstations are secured, air-gapped, and never connected to any network except the safety network

HARDENINGRestrict physical access to Tricon controllers and engineering workstations with locked cabinets and access controls

HARDENINGScan all removable media (USB drives, CDs, DVDs) for malware before connecting to engineering workstations or safety network

HARDENINGEnable all built-in cybersecurity features in Triconex solutions

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Triconex Tricon MP Model 3008 firmware to Tricon CX v11.4 or later

CVEs (2)

CVE-2018-8872 CVE-2018-7522

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e86abdd1-e8c8-430d-a102-e11523a85532