EcoStruxure™ Power Operation 2021, EcoStruxure™ Power SCADA Operation 2020 and EcoStruxure™ Power SCADA Operation 2020 R2

MonitorCVSS 7.5SEVD-2023-010-03Jan 10, 2023

Schneider ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in the IEC 61850 communication driver used by EcoStruxure Power Operation 2021 and EcoStruxure Power SCADA Operation 2020/2020 R2 can be exploited remotely via specially crafted protocol messages. The flaw causes an improper memory access (CWE-824) that crashes the driver, resulting in loss of communication to substations and downstream power control devices. Affected versions include all maintenance updates of these releases. Schneider Electric has not provided a permanent fix for these product versions and recommends only the driver package update as available remediation.

What this means

What could happen

An attacker can send specially crafted network packets over the IEC 61850 protocol to crash the communication driver, causing the SCADA software to lose connection to monitored substations and control devices. This could prevent operators from seeing real-time status of the power grid or responding to outages.

Who's at risk

Electric utilities and power generators using EcoStruxure Power Operation or Power SCADA Operation software for monitoring substations and power distribution equipment. This affects any organization relying on IEC 61850 protocol connections from their SCADA master to remote terminal units (RTUs), protective relays, or intelligent electronic devices (IEDs) in the field.

How it could be exploited

An attacker with network access to the EcoStruxure software host sends malformed IEC 61850 protocol messages to the 61850 communication port. The vulnerability in the driver causes a memory fault that crashes the driver process, severing communication to downstream devices like protective relays and circuit breakers that depend on the SCADA connection.

Prerequisites

Network access to the EcoStruxure host on the port used by the IEC 61850 driver (typically port 102)
The IEC 61850 driver must be active and listening for incoming connections
No authentication required to send malformed packets

remotely exploitableno authentication requiredlow complexityaffects operational visibility and controlno patch available yet

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (3)

3 pending

ProductAffected VersionsFix Status

EcoStruxure™ Power SCADA Operation 20202020 & 2020 CU1No fix yet

EcoStruxure™ Power SCADA Operation 2020 R22020 R2 & 2020 R2 CU1, 2020 R2 CU2, & 2020 R2 CU3No fix yet

EcoStruxure™ Power Operation 20212021, 2021 CU1, 2021 CU2 & 2021 CU3No fix yet

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to the EcoStruxure software host using firewall rules to allow only trusted substation devices and engineering workstations to connect to the IEC 61850 communication port

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXDownload and apply the updated IEC 61850 driver package from Schneider Electric community portal at https://community.se.com/t5/EcoStruxure-Power-Operation/IEC61850-Driver-Latest-Release/m-p/150118

Long-term hardening

0/1

HARDENINGSegment the SCADA network so that the EcoStruxure hosts are isolated from untrusted networks and the corporate IT environment

CVEs (1)

CVE-2022-38138

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/92b56fda-524c-4bfc-94e7-c40b1a0be487

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.