Schneider Electric Triconex TriStation and Tricon Communication Module

Plan PatchCVSS 10ICS-CERT ICSA-20-205-01Jul 23, 2020

Schneider ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Schneider Electric Triconex TriStation 1131 and Tricon Communications Module allow an attacker to view cleartext network data, cause denial of service, or gain improper access to safety controllers. TriStation 1131 affected versions range from 1.0.0 through 4.12.0 on Windows NT, XP, or Windows 7. Tricon Communications Modules (TCM 4351, 4352, 4351A/B, 4352A/B) affected versions range from 10.0 through 10.5.3. Vulnerabilities include unencrypted communications (CWE-319), denial of service (CWE-400), missing security features (CWE-912), and inadequate access controls (CWE-284).

What this means

What could happen

An attacker on the network could read sensitive control data in cleartext, disrupt safety system operations, or gain unauthorized access to PLCs and safety controllers that protect critical processes.

Who's at risk

Energy sector operators using Schneider Electric Triconex safety systems should care: specifically organizations running TriStation 1131 engineering software (v4.9.0 or earlier) and facilities with Tricon Communications Modules (TCM models 4351, 4352, 4351A/B, 4352A/B) in their safety instrumented systems (SIS). These devices protect critical safety functions in power generation, transmission, and distribution systems.

How it could be exploited

An attacker with network access to the TriStation engineering workstation or Tricon Communication Module can intercept unencrypted communications to capture credentials and process data, or send unauthorized commands to alter safety system behavior or cause a denial of service.

Prerequisites

Network access to TriStation 1131 engineering workstation or Tricon Communications Module (TCM) on ports used for controller communication
No authentication required for exploitation of cleartext data transmission
Device must be reachable from attacker's network segment

remotely exploitableno authentication required for data interceptionlow complexity attackno patch available for many deployed versions (end-of-life products)affects safety systemsunencrypted communications

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Tricon Communications Module (TCM) Models 4351 4352 4351A/B and 4352A/B installed in Tricon: v10.0 to v10.5.3 systems≥ 10.0 | ≤ 10.5.310.5.4+

TriStation 1131: v1.0.0 to v4.9.0 v4.10.0 and 4.12.0 operating on Windows NT Windows XP or Windows 7≥ 1.0. | ≤ 4.9.0 | 4.10.0 | 4.12.04.9.1, 4.10.1, or 4.13.0+

Remediation & Mitigation

0/8

Do now

0/3

WORKAROUNDImplement network firewall rules to restrict access to TriStation workstations and Tricon devices; only allow connections from authorized engineering networks

HARDENINGEnsure Tricon key switch is never left in PROGRAM mode; configure operator station alarms when switch enters PROGRAM mode

HARDENINGEnable all cybersecurity features in Triconex solutions

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Tricon Communications Module (TCM) Models 4351 4352 4351A/B and 4352A/B installed in Tricon: v10.0 to v10.5.3 systems

HOTFIXUpgrade Tricon Communications Module (TCM) to version 10.5.4 or later

All products

HOTFIXUpgrade TriStation 1131 to version 4.9.1, 4.10.1, or 4.13.0 or later

Long-term hardening

0/3

HARDENINGIsolate all Triconex safety systems and control networks from the business network using air gaps or dedicated network segments

HARDENINGSecure all TriStation engineering workstations with physical access controls (locked cabinets) and network isolation; never allow connection to other networks

HARDENINGImplement physical access controls to prevent unauthorized personnel from accessing controllers, safety systems, and network connections

CVEs (5)

CVE-2020-7483 CVE-2020-7484 CVE-2020-7485 CVE-2020-7486 CVE-2020-7491

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dd7714cc-a353-4105-81dd-fd04e7b3f12f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.