The experts tested the security of the embedded controller software for the automation of transformer substations Schneider Electric Easergy T300 and the separately supplied software Schneider Electric Easergy Builder, which is used to configure the equipment.
According to experts, the Easergy T300 web server turned out to be vulnerable to cross-site request forgery attack, which can lead to incorrect controller configuration and, as a result, to accidents. In addition, the controller is subject to denial of service due to vulnerability. Also, problems were discovered with encryption on the device, which is expressed in the possibility of obtaining private encryption keys, access to user accounts and gaining control over the device.
Schneider Electric “worked closely” with researchers to fix vulnerabilities, its press service said. Vulnerabilities were resolved with a free update, which can be immediately obtained by contacting the Schneider Electric customer service center, the company added.
Kommersant’s interlocutors from among Russian customers of Schneider Electric indicate that the indicated problems could be affected primarily by network companies. Schneider Electric itself did not disclose information about customers that could potentially be affected.