The global site of the UK's leading magazine for automation, motion engineering and power transmission
22 June, 2024

Twitter link

Cyber-flaws in Schneider HMIs could allow attacks

02 November, 2016

Cyber-security researchers have found vulnerabilities in Schneider Electric’s Magelis HMIs (human-machine interfaces) that could allow attackers to “freeze” the panels remotely and prevent them from communicating with PLCs and other devices, potentially affecting the operation of industrial plants.

The researchers, from the industrial controls security specialist CritiFence, warn that disconnecting HMIs from Scada networks and other devices could cause operators to perform incorrect actions. They have named the "zero-day" vulnerabilities PanelShock.

The researchers, who identified the issue in April 2016, have been working with Schneider Electric to mitigate and remediate the problem. Schneider has recently issued a security bulletin saying it is aware of the vulnerabilities and offering users advice on mitigations to help minimise the risks.

It says that the vulnerabilities can generate a freeze condition on an HMI that can lead to a denial-of-service due to incomplete error management of HTTP requests in the HMI’s Web Gate Server. While under attack via a malicious HTTP request, the HMI may be unable to manage communications due to high resource consumption. This can lead to a loss of communications with devices such as PLCs, and require the HMI to be rebooted to recover.

Schneider points out that exploitation of the vulnerabilities requires the Web Gate Server to be activated. By default, this function is disabled.

The HMI panels affected by the vulnerabilities include Schneider’s Magelis GTO Advanced Optimum panels, Magelis GTU Universal panels, Magelis STO and STU small panels, Magelis XBT GH Advanced hand-held panels, Magelis XBT GK Advanced touchscreen panels with keyboards, Magelis XBT GT Advanced touchscreen panels, and Magelis XBT GTW Advanced Open (Windows XPe) touchscreen panels.

Scheider Electric's Magelis GTU HMI is one of the products potentially affected by the PanelShock vulnerabilities

Schneider says that owners of the Magelis GTO Advanced Optimum Panels and GTU Universal panels will be able to upgrade their Vijeo Designer software in March 2017 to a new version that will be immune from the vulnerabilities.

One of the weaknesses that CritiFence identified in the HMIs is that the timeout value for closing an HTTP client’s requests in the Web Gate service is too long, allowing a malicious attacker to open multiple connections to the targeted Web server and to keep them open for as long as possible by continuously sending partial HTTP requests, none of which are ever completed. The attacked server opens more and more connections, waiting for each of the attack requests to be completed, allowing a single computer to take down the Web Gate Server.

CritiFence has released a free tool – called the PanelShockVCT (Vulnerability Check Tool) – that checks for PanelShock vulnerabilities.

  • To view a digital copy of the latest issue of Drives & Controls, click here.

    To visit the digital library of past issues, click here

    To subscribe to the magazine, click here



"Do you think that robots create or destroy jobs?"



Most Read Articles