EcoStruxure™ Power SCADA Operation

Low RiskSEVD-2023-129-02May 9, 2023

Summary

Multiple vulnerabilities exist in the AVEVA Plant SCADA product included in EcoStruxure Power Operation and Power SCADA Operation. These on-premises software platforms monitor and control medium and lower power systems. The vulnerabilities could allow unauthenticated remote attackers to read sensitive data, cause denial of service, escalate privileges, and tamper with alarm states, potentially masking equipment faults or failures in production systems.

What this means

What could happen

An unauthenticated attacker with network access could read sensitive power system data, disrupt monitoring and control operations, or manipulate alarm states, potentially masking real equipment failures or faults.

Who's at risk

Energy sector operators and utilities using EcoStruxure Power Operation or Power SCADA Operation for medium and lower voltage power system monitoring and control, including both 2021 and 2022 versions before the current update.

How it could be exploited

An attacker with network access to the EcoStruxure Power Operation or Power SCADA Operation software could exploit the underlying AVEVA Plant SCADA vulnerabilities without credentials to remotely access the application, read data from monitored power systems, trigger denial of service, or alter alarm configurations.

Prerequisites

Network access to the EcoStruxure Power Operation or Power SCADA Operation application
Software version 2021 CU3 or earlier, or 2022 version prior to CU1

remotely exploitableno authentication requiredaffects power system monitoring and controlprivilege escalation potentialno patch available for 2021 versions

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

EcoStruxure™ Power Operation20222022 CU1

EcoStruxure™ Power Operation≤ 2021 CU32022 CU1

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDIf immediate patching is not possible, isolate the EcoStruxure Power Operation system from the business network using a firewall and restrict network access to authorized personnel only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EcoStruxure Power Operation to version 2022 CU1 or later

Long-term hardening

0/4

HARDENINGImplement network segmentation to place control and safety system networks behind firewalls and separate from business networks

HARDENINGRestrict remote access to the software; if remote access is required, use a VPN with current security patches

HARDENINGEnforce physical access controls such as locked cabinets and prevent programming mode access without authorization

HARDENINGScan all removable media (USB drives, CDs) for malware before connecting to the control network

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a58d8623-8109-4e0d-a3df-f1884ede2919