Capabilities for Remote Targeting of Schneider Electric Servo Drives and Programmable Logic Controllers

  Home  |  ICS / SCADA Cybersecurity  |  Capabilities for Remote Targeting of Schneider Electric Servo Drives and Programmable Logic Controllers
Posted on

Cyber actors have recently developed new capabilities to remotely interact with Schneider Electric equipment. This equipment includes Schneider Electric TM241 or TM251 programmable logic controllers (PLC), Schneider Electric Modicon M221 PLCs, TM241MESE PLC, and Schneider Electric Lexium 32 servo drives (LXM32AD18N4). However, there is currently no indication of active exploitation.

The capabilities of the exploit framework are significant. They aim to log into a PLC, change the password protecting the ladder logic project file, remotely read the project file from the PLC, and alter device operations. A malicious cyber actor could use these new capabilities to perform reconnaissance in an industrial control system (ICS) environment or alter physical performance within the ICS environment. This could potentially result in destructive effects or denial of service. Additionally, the exploit has further capabilities to interact and write data to Lexium drive servo motors over the OpenCAN protocol through the PLC.

General PLC Security Recommendations

The Department of Energy and Schneider Electric encourage owners and operators to follow industry cybersecurity best practices for PLC devices. These recommendations include:

  1. Locate control and safety system networks and remote devices behind firewalls: Isolate them from business network interactions and the Internet. This ensures that unauthorized access is minimized and reduces the risk of exposure to external threats.
  2. Never leave controllers in the “Program” mode: This mode should be reserved for specific maintenance tasks and should not be the default operational state. This reduces the risk of unauthorized modifications to the controller’s configuration.
  3. Limit PLC programming activities to specific systems: These systems should not be used for other purposes. Ensure that mobile and transient devices (such as laptops) are scanned and validated prior to connection to an ICS network. This practice helps prevent the introduction of malware and unauthorized software.
  4. Use secure methods for remote access: When remote access is required, utilize secure methods such as Virtual Private Networks (VPNs) and multi-factor authentication to access ICS networks. It is important to recognize that VPNs may have exploitable vulnerabilities and should be updated to the most current version available.

By adhering to these recommendations, owners and operators can enhance the security of their PLC devices and reduce the risk of cyber threats. Maintaining a robust cybersecurity posture is essential to protect critical infrastructure and ensure the reliable operation of industrial control systems.