Schneider Electric is aware of multiple vulnerabilities affecting Treck Inc.’s embedded TCP/IP stack, collectively known as Ripple20, which Treck disclosed publicly on June 16. The vulnerabilities range in severity and therefore have varying levels of risk. Schneider Electric continues to assess how the newly disclosed vulnerabilities affect its offers. The company will continue to update this notification as additional offer-specific information becomes available.Customers should immediately ensure they have implemented cyber security best practices across their operations to protect themselves from possible exploitation of these vulnerabilities. Where appropriate, this includes locating their industrial systems and remotely accessible devices behind firewalls; installing physical controls to prevent unauthorized access; preventing mission-critical systems and devices from being accessed from outside networks; and following the remediation and general security recommendations below.
Schneider Electric has determined that the following offers are impacted. The company will update this table as it continues to assess the impact these vulnerabilities have on its offers.
General Security Recommendations:
We strongly recommend the following industry cyber-security best practices.
•Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network. •Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
•Place all controllers in locked cabinets and never leave them in the “Program” mode.
•Never connect programming software to any network other than the network for the devices that it is intended for.
•Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks. •Never allow laptops that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
•Minimize network exposure for all control system devices and systems, and ensure that they are not accessible from the Internet.
•When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.
All update patches are available from this link to fix the security issues .