Harmony iPC – HMIBSC IIoT Edge Box Core

Low RiskSEVD-2024-282-02Oct 8, 2024

Schneider ElectricEnergyManufacturing

Summary

Schneider Electric Harmony iPC – HMIBSC IIoT Edge Box Core products contain multiple vulnerabilities in the operating system. These edge compute devices enable communication from shop floor to IT systems. Legacy OS and component vulnerabilities could result in operational failures if mitigations are not applied.

What this means

What could happen

An attacker exploiting legacy OS vulnerabilities on this edge device could disrupt communication between the shop floor and IT systems, potentially stopping asset monitoring, maintenance operations, or triggering operational failures in connected industrial processes.

Who's at risk

Operators of water utilities, municipal electric systems, and manufacturing plants using Schneider Electric Harmony iPC HMIBSC edge devices for shop floor-to-IT communication should be concerned. Any facility relying on this edge compute device for asset performance monitoring, maintenance coordination, or operational visibility is affected.

How it could be exploited

An attacker with network access to the unprotected edge device could exploit legacy OS or component vulnerabilities to gain unauthorized access. If the device is internet-exposed or accessible from the business network without firewalls, exploitation risk is significantly higher. A compromised edge device could be used to intercept or alter data flowing between shop floor control systems and IT infrastructure.

Prerequisites

Network access to the HMIBSC edge device
Connectivity from an untrusted network (Internet, business network, or mobile device)
Device exposed without firewall protection or network segmentation

no patch availablelegacy OS with known vulnerabilitiesedge/boundary device at IT/OT interfaceoperational failure risk

Affected products (1)

ProductAffected VersionsFix Status

Harmony iPC – HMIBSC IIoT Edge Box Core All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGIsolate the HMIBSC edge device behind a firewall; do not permit direct connectivity from the business network or Internet

HARDENINGImplement network segmentation to place the edge device and connected shop floor control systems on a separate VLAN from business networks

HARDENINGRestrict physical access to the device; place it in a locked cabinet and ensure it is never left in Program mode

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDImplement secure remote access using a VPN if remote management is required; keep VPN software updated to the latest version

Mitigations - no patch available

0/2

Harmony iPC – HMIBSC IIoT Edge Box Core All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGScan all removable media (USB drives, CDs) for malware before connecting to networks with this device or connected control systems

HARDENINGProhibit mobile devices that have connected to other networks from connecting to the control network without proper sanitization

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cf2d8a11-db7a-4b9b-b664-a763ddb22689

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.