Schneider Electric Triconex TriStation and Tricon Communication Module
Act Now10ICS-CERT ICSA-20-205-01Jul 23, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple vulnerabilities in Schneider Electric Triconex TriStation 1131 and Tricon Communications Module allow an attacker to view cleartext network data, cause denial of service, or gain improper access to safety controllers. TriStation 1131 affected versions range from 1.0.0 through 4.12.0 on Windows NT, XP, or Windows 7. Tricon Communications Modules (TCM 4351, 4352, 4351A/B, 4352A/B) affected versions range from 10.0 through 10.5.3. Vulnerabilities include unencrypted communications (CWE-319), denial of service (CWE-400), missing security features (CWE-912), and inadequate access controls (CWE-284).
What this means
What could happen
An attacker on the network could read sensitive control data in cleartext, disrupt safety system operations, or gain unauthorized access to PLCs and safety controllers that protect critical processes.
Who's at risk
Energy sector operators using Schneider Electric Triconex safety systems should care: specifically organizations running TriStation 1131 engineering software (v4.9.0 or earlier) and facilities with Tricon Communications Modules (TCM models 4351, 4352, 4351A/B, 4352A/B) in their safety instrumented systems (SIS). These devices protect critical safety functions in power generation, transmission, and distribution systems.
How it could be exploited
An attacker with network access to the TriStation engineering workstation or Tricon Communication Module can intercept unencrypted communications to capture credentials and process data, or send unauthorized commands to alter safety system behavior or cause a denial of service.
Prerequisites
- Network access to TriStation 1131 engineering workstation or Tricon Communications Module (TCM) on ports used for controller communication
- No authentication required for exploitation of cleartext data transmission
- Device must be reachable from attacker's network segment
remotely exploitableno authentication required for data interceptionlow complexity attackno patch available for many deployed versions (end-of-life products)affects safety systemsunencrypted communications
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Tricon Communications Module (TCM) Models 4351 4352 4351A/B and 4352A/B installed in Tricon: v10.0 to v10.5.3 systems≥ 10.0 | ≤ 10.5.310.5.4 or later
TriStation 1131: v1.0.0 to v4.9.0 v4.10.0 and 4.12.0 operating on Windows NT Windows XP or Windows 7≥ 1.0. | ≤ 4.9.0 | 4.10.0 | 4.12.04.9.1, 4.10.1, or 4.13.0 or later
Remediation & Mitigation
0/8
Do now
0/3WORKAROUNDImplement network firewall rules to restrict access to TriStation workstations and Tricon devices; only allow connections from authorized engineering networks
HARDENINGEnsure Tricon key switch is never left in PROGRAM mode; configure operator station alarms when switch enters PROGRAM mode
HARDENINGEnable all cybersecurity features in Triconex solutions
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
Tricon Communications Module (TCM) Models 4351 4352 4351A/B and 4352A/B installed in Tricon: v10.0 to v10.5.3 systems
HOTFIXUpgrade Tricon Communications Module (TCM) to version 10.5.4 or later
All products
HOTFIXUpgrade TriStation 1131 to version 4.9.1, 4.10.1, or 4.13.0 or later
Long-term hardening
0/3HARDENINGIsolate all Triconex safety systems and control networks from the business network using air gaps or dedicated network segments
HARDENINGSecure all TriStation engineering workstations with physical access controls (locked cabinets) and network isolation; never allow connection to other networks
HARDENINGImplement physical access controls to prevent unauthorized personnel from accessing controllers, safety systems, and network connections
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/dd7714cc-a353-4105-81dd-fd04e7b3f12f