Harmony iPC – HMIBSC IIoT Edge Box Core
Low RiskSEVD-2024-282-02Oct 8, 2024
Summary
Schneider Electric has identified multiple vulnerabilities in the Harmony iPC – HMIBSC IIoT Edge Box Core family due to legacy operating system and component vulnerabilities. These edge compute devices enable communication and data exchange between shop floor equipment and IT systems. The vulnerabilities could result in operational failures if mitigations are not applied. No patch is currently available from the vendor.
What this means
What could happen
The Harmony iPC – HMIBSC IIoT Edge Box Core devices contain multiple OS-level vulnerabilities due to legacy components that could allow an attacker to compromise the edge compute platform, potentially disrupting communication between shop floor equipment and IT systems or enabling lateral movement into your plant network.
Who's at risk
This vulnerability affects energy and manufacturing organizations that use Harmony iPC – HMIBSC IIoT Edge Box Core devices to bridge shop floor equipment (sensors, PLCs, drives, safety systems) with IT systems. Organizations in water utilities, electric utilities, refineries, food/beverage processing, and discrete manufacturing that rely on these devices for data collection and remote monitoring should prioritize mitigation.
How it could be exploited
An attacker with network access to an unpatched HMIBSC device could exploit legacy OS or component vulnerabilities to gain command execution on the edge box. From there, the attacker could intercept or manipulate data flowing between shop floor devices and your IT network, or use the compromised device as a pivot point to attack PLCs, drives, sensors, and other control equipment on the same network segment.
Prerequisites
- Network access to the HMIBSC device (directly or via the business network)
- No authentication required for some legacy OS vulnerabilities
- Device must be running an unpatched OS version
No patch availableLegacy OS components with known vulnerabilitiesAffects industrial edge compute platformCould enable lateral movement into plant networksMultiple unspecified vulnerabilities
Affected products (1)
ProductAffected VersionsFix Status
Harmony iPC – HMIBSC IIoT Edge Box Core All versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/7
Do now
0/5HARDENINGIsolate Harmony iPC – HMIBSC devices and all shop floor control networks behind a firewall; do not allow direct connectivity between these devices and your business network.
HARDENINGRestrict network access to HMIBSC devices to only the specific IT systems that need to communicate with them; block all unnecessary inbound and outbound connections.
HARDENINGNever connect engineering software or programming tools to the HMIBSC device network from any other network; keep programming isolated to the intended network only.
HARDENINGScan and sanitize all removable media (USB drives, CDs) before connecting them to the HMIBSC device or any equipment on the shop floor network.
HARDENINGDo not allow mobile devices or laptops that have connected to other networks (guest WiFi, home networks, internet) to connect to the shop floor network without full malware scanning and verification.
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGImplement physical access controls—place HMIBSC devices in locked cabinets and restrict who can access or reprogram them.
Mitigations - no patch available
0/1Harmony iPC – HMIBSC IIoT Edge Box Core All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIf remote access to HMIBSC devices is required, use a VPN with current patches and strong authentication; ensure the VPN client itself is not compromised before connecting.
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/cf2d8a11-db7a-4b9b-b664-a763ddb22689