The trade leader of several electric giants, Schneider Electric, has released this Wednesday, an announcement that is part of some vulnerability in its systems.
- Included in this notice are the following products:
Pro-face GP-Pro EX affected products (GP-Pro EX WinGP for iPC v4.09.450 and prior, GP-Pro EX WinGP for PC/AT v4.09.450 and prior) - CODESYS Runtime Vulnerabilities affected products (HMISCU Controller, Modicon Controller LMC078, Modicon Controller M241, Modicon Controller M251, Modicon Controller M261, Modicon Controller M262, Modicon Controller M258, Modicon Controller LMC058, PacDrive 3 Controllers: LMC Eco/Pro/Pro2, Vijeo Designer embedded in EcoStruxure™ Machine Expert SoftSPS embedded in EcoStruxure™ Machine Expert, Harmony (Formerly Magelis)
HMIGK/HMIGTO/HMIGTU/HMIGTUX/HMISTU seriesiPC series with Vijeo Designer runtime, Easy Harmony HMIET6/HMIFT6
Magelis HMIGXU series) - EcoStruxure™ Control Expert, EcoStruxure™ Process Expert and Modicon PLCs (Programmable Logic Controllers) and PACs (Programmable Automation Controllers) affected products CWE-754: Improper Check for Unusual or Exceptional Conditions)
Schneider Electric recommends updating these products as soon as possible so that you don’t risk the security of your company!
Some general tips that are recommended to protect yourself in such cases are:
General Security Recommendations
We strongly recommend the following industry cybersecurity best practices.
• Locate control and safety system networks and remote devices behind firewalls and
isolate them from the business network.
• Install physical controls so no unauthorized personnel can access your industrial control
and safety systems, components, peripheral equipment, and networks.
• Place all controllers in locked cabinets and never leave them in the “Program” mode.
• Never connect programming software to any network other than the network intended for
that device.
• Scan all methods of mobile data exchange with the isolated network such as CDs, USB
drives, etc. before use in the terminals or any node connected to these networks.
• Never allow mobile devices that have connected to any other network besides the
intended network to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and systems and ensure that
they are not accessible from the Internet.
• When remote access is required, use secure methods, such as Virtual Private Networks
(VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the
most current version available. Also, understand that VPNs are only as secure as the
connected devices.