Honeywell ControlEdge PLC and RTU

Monitor5.9ICS-CERT ICSA-20-175-02Jun 23, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Honeywell ControlEdge PLC and RTU models R130.2, R140, R150, and R151 transmit operator passwords and session tokens in unencrypted network communications (CWE-319). An attacker able to capture network traffic to these devices could extract plaintext credentials and gain unauthorized access to control operations. Honeywell has not released a firmware patch; mitigation requires network isolation and application of secure communication configurations per Honeywell support documentation.

What this means

What could happen

An attacker who gains network access to your ControlEdge PLC or RTU could intercept unencrypted communications to steal operator passwords and session tokens, potentially allowing unauthorized access to device configuration and operation.

Who's at risk

Manufacturing facilities operating Honeywell ControlEdge PLC or RTU controllers should care about this. It affects device versions R130.2, R140, R150, and R151 across both PLC and RTU product lines. Any organization relying on these for process automation is at risk if the devices are reachable from untrusted network segments.

How it could be exploited

An attacker positioned on your plant network (or remote access network if present) could capture network traffic between operator workstations and ControlEdge devices to extract plaintext passwords and session tokens. No special authentication or device configuration is required to perform the capture itself.

Prerequisites

Network access to the ControlEdge PLC or RTU (local plant network or remote access path)
Ability to passively capture or intercept network traffic (e.g., ARP spoofing, network tap, or compromised network segment)

Remotely exploitableNo authentication required for network traffic interceptionLow complexity attack (passive network capture)No patch available

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

ControlEdge PLC: R130.2 R140 R150 and R151R130.2 | R140 | R150 | R151No fix (EOL)

ControlEdge RTU: R101 R110 R140 R150 and R151R101 | R110 | R140 | R150 | R151No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to ControlEdge devices; do not expose them to the Internet or untrusted networks

HARDENINGPlace ControlEdge PLC and RTU behind firewalls and isolate them from the business network

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply Honeywell secure communication guidance from support document SN2020-04-17-01-ConotrolEdge-PLC-and-RTU-Secure-Communication (requires Honeywell support login)

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: ControlEdge PLC: R130.2 R140 R150 and R151, ControlEdge RTU: R101 R110 R140 R150 and R151. Apply the following compensating controls:

HARDENINGIf remote access to ControlEdge is required, enforce VPN or other secure tunneling methods; keep VPN and connected devices updated

CVEs (2)

CVE-2020-10628 CVE-2020-10624

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9d0b9d67-f385-4f3f-a252-153bc1896806