EcoStruxure IT security

Application security   Schneider Electric is committed to securely develop and test against security threats to ensure cstomer data safety. Furthermore, Schneider Electric continuously employs a rotating number of 3rd party certified hackers to perform detailed penetration tests of the entire EcoStruxure IT platform.   Security training All new EcoStruxure IT software developers attend a mandatory security training which is given upon hire and every year after that. Additionally, they can choose to enroll in a White Hat Hacker training to receive the Ethical Hacker certification.   Peer review Any change to the EcoStruxure IT platform is subjected to a mandatory peer review where code and infrastructure changes are reviewed by at least one other engineer in order to validate code quality, security and performance.   All changes are tracked using a version control system (GIT) to ensure history, traceability and audit tracking.   Separate Environment EcoStruxure IT testing environments are physically isolated from the Production environment.   Application vulnerabilities   Dynamic Vulnerability Scanning Schneider Electric uses several third-party security tools to continuously dynamically scan the EcoStruxure IT platform for vulnerabilities. Schneider Electric maintains a committed security team to handle results and work with engineering teams to remediate issues.   Static Code Analysis All changes to source code are continuously scanned for bugs, security and license issues via static analysis tooling. Any source code change which doesn’t meet the EcoStruxure IT standards will be returned to the development team for improvement.   Third Party Security Penetration Testing Schneider Electric continuously employs a rotating number of third party certified hackers to perform detailed penetration tests on all components of EcoStruxure IT (gateway, mobile and web app). When new features are released, mission statements are handed to security experts to verify feature security.  Learn more about our security test report sharing policy   Incident Response The Schneider Electric Corporate Product Cyber Emergency Response Team (CPCERT) has defined vulnerability management processes to ensure efficient incident response. To report an incident, please contact your local Customer Care Center and include:   Product line Vulnerable version Vulnerability type [CWE ID, if available] Organization name Email adress Phone number Country   If you’re a researcher, please report a cybersecurity vulnerability here.   All vulnerability disclosures are reported on the Schneider Electric Cybersecurity Support Portal.   XSS Protection (Incident Validation) In accordance with industry best practices, we use strict procedures for output sanitization of all user input. This is enforced in part by static code analysis and also by using well known, tried and tested third party frameworks.   Product security features   The EcoStruxure IT platform is security hardened with a mandatory two-factor authentication and high encryption standards. Your data is securely transported to the EcoStruxure IT platform using the EcoStruxure IT Gateway, which uses an outbound connection to ensure no one can compromise your environment.   It is best practice to keep operating systems and browsers up to date and patched regularly in accordance to vendor recommendations.    Authentication security   Password policy The EcoStruxure IT password policy requires:   At least 8 characters in length. At least 3 of the following 4 types of characters: Lower case letters (a-z), Upper case letters (A-Z), Numbers (i.e. 0-9), Special characters (e.g. !@#$%^&* ) No more than 2 identical characters in a row (i.e. “aaa” not allowed)   EcoStruxure IT will validate your password, as long as it is not one of the 10,000 most common passwords and that it is not the first part of your email address.   Please note that your password will not expire according to recommended password policies by NIST & National Cyber Security Centre in the UK.   Multifactor Authentication Multifactor authentication provides another layer of security to your EcoStruxure IT account, making it more challenging for somebody else to sign in as you.   Multifactor authentication is turned on for all logins to EcoStruxure IT, whether you are a customer, partner or Schneider Electric employee.   Schneider Electric advises you to use the EcoStruxure IT app for second factor authentication or a 3rd-party authenticator app. Though it is possible to use short-lived one time SMS tokens as a last resort, it is not recommended.   Secure Credential Storage Schneider Electric follows secure credential storage best practices by never storing EcoStruxure IT passwords in clear text format, and only as the result of a bcrypt secure, salted hash.   Passwords are decoupled from the internal platform and saved using Auth0, a solution recommended by authentication management experts.   Failed Login Attempts Schneider Electric enforces brute force protection for EcoStruxure IT. You will be blocked from logging in to your account if you have entered a wrong password for more than 10 times from the same IP address. You will then receive instructions on how to unblock the IP address from EcoStruxure IT via email.   Schneider Electric enforces rate limits as well. If you attempt to log in 20 times per minute as the same user from the same location, regardless of having the correct credentials, the rate limit will apply. You will then only be able to make 10 attempts per minute.   EcoStruxure IT Gateway Security   Outbound Connection Schneider Electric is committed to keeping your data secure and private, even before it leaves your site. All connections from the EcoStruxure IT Gateway to our cloud are validated using an industry standard 2048 bit RSA certificate and data is encrypted in transit using 256 bit AES encryption.   To avoid compromising the security of your site, the EcoStruxure IT Gateway uses an outbound connection through Port 443, and only communicates to EcoStruxure IT cloud using 40.84.62.190, 23.99.90.28, 52.230.227.202, 52.177.161.233, and 52.154.163.222.   The communication from this outbound connection is always initiated by the Gateway. The Gateway connects to our cloud at regular intervals to check for messages, and then performs actions based on those messages.  Infographic: Learn more about how EcoStruxure IT applies updates to your infrastructure   Authentication All requests coming from the Gateway are signed using a unique private key created on installation and stored in the gateway, making it impossible to impersonate it.   Auto Updates The EcoStruxure IT Gateway features an auto-update functionality ensuring that the software security patching happens automatically and that the Gateway is always up-to-date. During the update, the Gateway continues to communicate sensor data and alarms to the cloud, minimizing downtime.   See EcoStruxure IT Gateway Security Handbook    Data privacy   Schneider Electric ensures the privacy and integrity of your data at all times. It is committed to complying with its obligations under the GDPR. EcoStruxure IT only uses machine data to optimize your experience with the platform – guaranteeing the confidentiality of your personal data.   Privacy Policy Learn more about privacy at Schneider Electric   GDPR The General Data Protection Regulation (“GDPR”) addresses the processing of personal data and the free movement of that data. Its goal is to strengthen the security and protection of personal data in the EU and to harmonize EU data protection law. This regulation sets out a number of data protection principles and requirements which must be adhered to when personal data is processed.   Schneider Electric is committed to complying with its obligations under the GDPR. Schneider Electric shares personal information with 3rd party data processors on a need-to-know basis.   Learn more about what personal data is shared with subprocessors and subcontractors   Personal Data Handling and Storage Schneider Electric collects sensor data and alarms from critical infrastructure devices that you choose to share with us. Schneider Electric only collects data about the performance of your equipment and metadata, such as where it’s located and how old it is.   Before being committed to storage, your data is tagged as yours. Your data is segregated from other customers data by a unique identifier, which the system uses to ensure proper matching of data. In addition, the cloud engine keeps a complete audit trail of the data received and the data processing, so we can always retrace our steps and see where your data has been and what it has been used for.   EcoStruxure IT does not access any data stored on your servers or storage, or monitor any traffic passed through your network. Data is stored on Microsoft Azure in the United States.    EcoStruxure IT Privacy Notice   Personal Data Use Firstly, Schneider Electric processes and stores data for you, so it’s available to you anywhere in the world through the EcoStruxure IT app. But more importantly, sharing your data with Schneider Electric allows us to optimize the services and products we provide, to help you optimize your data center, and to enable you to benchmark yourself with peers worldwide.   Automatic Personal Data Deletion When you deactivate your EcoStruxure IT account, our system automatically deletes your personal data for login. A historical record is kept for marketing purposes that is deleted after three years.   Data center and network security   Physical security   Facilities The EcoStruxure IT servers are hosted in the United States on the Microsoft Azure Cloud, which is ISO 27001, HIPAA, FedRAMP, SOC 1, and SOC 2 certified.  Learn more about Microsoft Azure facilities, premises and physical security   Network security   Logical Access Access to the EcoStruxure IT Production Network is restricted by an explicit need-to-know basis, utilizes least privilege, is monitored, and is controlled by our Operations Team. Employees accessing the EcoStruxure IT Production Network are required to use multiple factors of authentication.   DDoS As EcoStruxure IT is running on Microsoft Azure, Schneider Electric leverages their always-on traffic monitoring, and real-time mitigation of common network-level attacks, providing the same defenses utilized by Microsoft’s online services.   Third Party Security Penetration Testing Schneider Electric continuously employs a rotating number of 3rd party certified hackers to perform detailed penetration tests of the entire EcoStruxure IT platform.  Learn more about our security test report sharing policy   Monitoring EcoStruxure IT is maintained and operated by a core DevOps team with extremely high standards for cyber security and data privacy. All parts of the EcoStruxure IT system are continuously monitored and scanned for potential security vulnerabilities or privacy issues. The DevOps team is on-call 24/7 and able to react promptly to newly discovered threats or issues.   Encryption   Encryption in Transit All connections to the EcoStruxure IT cloud are validated using an industry standard 2048 bit RSA certificate and data is encrypted in transit using 256 bit AES encryption. For Android versions prior to 7.0, Schneider Electric can only guarantee 128 bit AES encryption due to limitations in the Android platform.   Encryption at Rest EcoStruxure IT data is encrypted using 256 bit AES encryption.   Availability and Continuity   Uptime EcoStruxure IT maintains a publicly available system-status webpage which includes system availability details, scheduled maintenance, service incident history, and relevant security events.   Redundancy All components of the EcoStruxure IT platform are deployed in high availability configuration to eliminate single point of failure. All data is backed up to separate storage to prevent data loss.   Subprocessors and subcontractors for EcoStruxure IT   To support the delivery of EcoStruxure IT services, Schneider Electric uses subprocessors that may store and process personal data on users and subscribers to EcoStruxure IT services cloud solutions.   Subprocessors Personal Data   Entity name Purpose Entity country Auth0   Auth0 provides a universal authentication and authorization platform for web and mobile. EcoStruxure IT uses Auth0 as identity provider.   For this purpose user name, e-mail, telephone number, IP address and login log information are stored in Auth0.   USA Cloudflare   Cloudflare provides a global content delivery network, web application firewall and protection from distributed denial of service attack.   EcoStruxure IT uses Cloudflare to protect the service against malicious attacks.   Global Google    Google provides address lookups. EcoStruxure IT uses Google to do address lookups when adding new locations.   Global MapTiler   MapTiler provides customizable maps. EcoStruxure IT uses MapTiler to show maps to users of customer locations.   MapTiler is supported by OpenStreetMap.   Switzerland Segment   Segment is a single platform that collects, stores and routes user data to other tools. EcoStruxure IT uses segment to route analytics and event tracking of user behaviour to Totango.   For that purpose Segment stores the name, e-mail, and IP address of the user.   USA SendGrid   SendGrid is an e-mail service provider. EcoStruxure IT uses SendGrid to send invitations, machine data reports, and password resets.   For logging purposes SendGrid stores e-mail address and information on whether the e-mail has been delivered and opened.   USA Totango   Totango Inc. provide customer success software. EcoStruxure IT uses Totango to gain insights and analytics on customer behaviour and adaption as well as to send newsletters and updates to users.   Totango stores e-mails and phone numbers of users.   USA Twilio, Inc.   The EcoStruxure IT uses Twilio to send authentication tokens to end-users who have chosen SMS based two-factor authentication.   For this purpose Twilio has access to the users telephone number in order to send authentication tokens via SMS.   Twilio is also used to send alarm push notifications. For this purpose Twilio has access to the content of the alarm notification.   USA Salesforce   Salesforce provides cloud-based customer support services. EcoStruxure IT uses Salesforce as a ticketing system for registering customer incidents.   For that purpose Salesforce has access to and stores company/account name, names of users, e-mail, phone number, and information on incidents (alarms and ticket updates).   USA Slack   Slack is an instant messaging program used for organizational communication. EcoStruxure IT uses Slack to publish customer feedback.   For that purpose Slack stores company/account names, names of users, and subscription information.   USA   Subprocessors Hosting   Entity Name Purpose Entity Country Amazon Web Services   Amazon Web Services provide cloud hosting services.   USA Microsoft Azure   Microsoft Azure provide cloud hosting services. Microsoft Azure is our primary cloud hosting services provider.   USA    

EcoStruxure IT Expert, our cloud-based DCIM solution, has achieved ISO 27001 certification.   ISO 27001 is the leading international standard focused on information security.   This certification demonstrates our commitment to the highest standards of information security management, and our continued commitment to DCIM 3.0 as the most secure, reliable, and sustainable way to operate data centers.   Download the ISO 27001 Certificate   Download the Statement of Applicability

To support the delivery of EcoStruxure IT services, Schneider Electric uses subprocessors that may store and process personal data on users and subscribers to EcoStruxure IT services cloud solutions.   Subprocessors Personal Data   Entity name Purpose Entity country Auth0   Auth0 provides a universal authentication and authorization platform for web and mobile. EcoStruxure IT uses Auth0 as identity provider.   For this purpose user name, e-mail, telephone number, IP address and login log information are stored in Auth0.   USA Cloudflare   Cloudflare provides a global content delivery network, web application firewall and protection from distributed denial of service attack.   EcoStruxure IT uses Cloudflare to protect the service against malicious attacks.   Global Google    Google provides address lookups. EcoStruxure IT uses Google to do address lookups when adding new locations.   Global MapTiler   MapTiler provides customizable maps. EcoStruxure IT uses MapTiler to show maps to users of customer locations.   MapTiler is supported by OpenStreetMap.   Switzerland Segment   Segment is a single platform that collects, stores and routes user data to other tools. EcoStruxure IT uses segment to route analytics and event tracking of user behaviour to Totango.   For that purpose Segment stores the name, e-mail, and IP address of the user.   USA SendGrid   SendGrid is an e-mail service provider. EcoStruxure IT uses SendGrid to send invitations, machine data reports, and password resets.   For logging purposes SendGrid stores e-mail address and information on whether the e-mail has been delivered and opened.   USA Totango   Totango Inc. provide customer success software. EcoStruxure IT uses Totango to gain insights and analytics on customer behaviour and adaption as well as to send newsletters and updates to users.   Totango stores e-mails and phone numbers of users.   USA Twilio, Inc.   The EcoStruxure IT uses Twilio to send authentication tokens to end-users who have chosen SMS based two-factor authentication.   For this purpose Twilio has access to the users telephone number in order to send authentication tokens via SMS.   Twilio is also used to send alarm push notifications. For this purpose Twilio has access to the content of the alarm notification.   USA Salesforce   Salesforce provides cloud-based customer support services. EcoStruxure IT uses Salesforce as a ticketing system for registering customer incidents.   For that purpose Salesforce has access to and stores company/account name, names of users, e-mail, phone number, and information on incidents (alarms and ticket updates).   USA Slack   Slack is an instant messaging program used for organizational communication. EcoStruxure IT uses Slack to publish customer feedback.   For that purpose Slack stores company/account names, names of users, and subscription information.   USA   Subprocessors Hosting   Entity Name Purpose Entity Country Amazon Web Services   Amazon Web Services provide cloud hosting services.   USA Microsoft Azure   Microsoft Azure provide cloud hosting services. Microsoft Azure is our primary cloud hosting services provider.   USA     See also EcoStruxure IT security Application security Product security features  Data privacy  Data center and network security 

Physical security   Facilities The EcoStruxure IT servers are hosted in the United States on the Microsoft Azure Cloud, which is ISO 27001, HIPAA, FedRAMP, SOC 1, and SOC 2 certified.  Learn more about Microsoft Azure facilities, premises and physical security   Network security   Logical Access Access to the EcoStruxure IT Production Network is restricted by an explicit need-to-know basis, utilizes least privilege, is monitored, and is controlled by our Operations Team. Employees accessing the EcoStruxure IT Production Network are required to use multiple factors of authentication.   DDoS As EcoStruxure IT is running on Microsoft Azure, Schneider Electric leverages their always-on traffic monitoring, and real-time mitigation of common network-level attacks, providing the same defenses utilized by Microsoft’s online services.   Third Party Security Penetration Testing Schneider Electric continuously employs a rotating number of 3rd party certified hackers to perform detailed penetration tests of the entire EcoStruxure IT platform.  Learn more about our security test report sharing policy   Monitoring EcoStruxure IT is maintained and operated by a core DevOps team with extremely high standards for cyber security and data privacy. All parts of the EcoStruxure IT system are continuously monitored and scanned for potential security vulnerabilities or privacy issues. The DevOps team is on-call 24/7 and able to react promptly to newly discovered threats or issues.   Encryption   Encryption in Transit All connections to the EcoStruxure IT cloud are validated using an industry standard 2048 bit RSA certificate and data is encrypted in transit using 256 bit AES encryption. For Android versions prior to 7.0, Schneider Electric can only guarantee 128 bit AES encryption due to limitations in the Android platform.   Encryption at Rest EcoStruxure IT data is encrypted using 256 bit AES encryption.   Availability and Continuity   Uptime EcoStruxure IT maintains a publicly available system-status webpage which includes system availability details, scheduled maintenance, service incident history, and relevant security events.   Redundancy All components of the EcoStruxure IT platform are deployed in high availability configuration to eliminate single point of failure. All data is backed up to separate storage to prevent data loss.   See also EcoStruxure IT security Application security Product security features  Data privacy  Subprocessors and subcontractors for EcoStruxure IT 

Schneider Electric ensures the privacy and integrity of your data at all times. It is committed to complying with its obligations under the GDPR. EcoStruxure IT only uses machine data to optimize your experience with the platform – guaranteeing the confidentiality of your personal data.   Privacy Policy Learn more about privacy at Schneider Electric   GDPR The General Data Protection Regulation (“GDPR”) addresses the processing of personal data and the free movement of that data. Its goal is to strengthen the security and protection of personal data in the EU and to harmonize EU data protection law. This regulation sets out a number of data protection principles and requirements which must be adhered to when personal data is processed.   Schneider Electric is committed to complying with its obligations under the GDPR. Schneider Electric shares personal information with 3rd party data processors on a need-to-know basis.   Learn more about what personal data is shared with subprocessors and subcontractors   Personal Data Handling and Storage Schneider Electric collects sensor data and alarms from critical infrastructure devices, that you choose to share with us. Schneider Electric only collects data about the performance of your equipment, and metadata such as where it’s located and how old it is.   Before being committed to storage, your data is tagged as yours. Your data is segregated from other customers data by a unique identifier, which the system uses to ensure proper matching of data. In addition, the cloud engine keeps a complete audit trail of the data received and the data processing, so we can always retrace our steps and see where your data has been and what it has been used for.   EcoStruxure IT does not access any data stored on your servers or storage, or monitor any traffic passed through your network. Data is stored on Microsoft Azure in the United States.    EcoStruxure IT Privacy Notice   Personal Data Use Firstly, Schneider Electric processes and stores data for you, so it’s available to you anywhere in the world through the EcoStruxure IT app. But more importantly, sharing your data with Schneider Electric allows us to optimize the services and products we provide, to help you optimize your data center, and to enable you to benchmark yourself with peers worldwide.   Automatic Personal Data Deletion When you deactivate your EcoStruxure IT account, our system automatically deletes your personal data for login. A historical record is kept for marketing purposes that is deleted after three years.   See also EcoStruxure IT security Application security Product security features  Data center and network security  Subprocessors and subcontractors for EcoStruxure IT 

The EcoStruxure IT platform is security hardened with a mandatory two-factor authentication and high encryption standards. Your data is securely transported to the EcoStruxure IT platform using the EcoStruxure IT Gateway, which uses an outbound connection to ensure no one can compromise your environment.   It is best practice to keep operating systems and browsers up to date and patched regularly in accordance to vendor recommendations.    Authentication security   Password policy The EcoStruxure IT password policy requires:   At least 8 characters in length. At least 3 of the following 4 types of characters: Lower case letters (a-z), Upper case letters (A-Z), Numbers (i.e. 0-9), Special characters (e.g. !@#$%^&* ) No more than 2 identical characters in a row (i.e. “aaa” not allowed)   EcoStruxure IT will validate your password, as long as it is not one of the 10,000 most common passwords and that it is not the first part of your email address.   Please note that your password will not expire according to recommended password policies by NIST & National Cyber Security Centre in the UK.   Multifactor Authentication Multifactor authentication provides another layer of security to your EcoStruxure IT account, making it more challenging for somebody else to sign in as you.   Multifactor authentication is turned on for all logins to EcoStruxure IT, whether you are a customer, partner or Schneider Electric employee.   Schneider Electric advises you to use the EcoStruxure IT app for second factor authentication or a 3rd-party authenticator app. Though it is possible to use short-lived one time SMS tokens as a last resort, it is not recommended.   Secure Credential Storage Schneider Electric follows secure credential storage best practices by never storing EcoStruxure IT passwords in clear text format, and only as the result of a bcrypt secure, salted hash.   Passwords are decoupled from the internal platform and saved using Auth0, a solution recommended by authentication management experts.   Failed Login Attempts Schneider Electric enforces brute force protection for EcoStruxure IT. You will be blocked from logging in to your account if you have entered a wrong password for more than 10 times from the same IP address. You will then receive instructions on how to unblock the IP address from EcoStruxure IT via email.   Schneider Electric enforces rate limits as well. If you attempt to log in 20 times per minute as the same user from the same location, regardless of having the correct credentials, the rate limit will apply. You will then only be able to make 10 attempts per minute.   Gateway Security   Outbound Connection Schneider Electric is committed to keeping your data secure and private, even before it leaves your site. All connections from the EcoStruxure IT Gateway to our cloud are validated using an industry standard 2048 bit RSA certificate and data is encrypted in transit using 256 bit AES encryption.   To avoid compromising the security of your site, the EcoStruxure IT Gateway uses an outbound connection through Port 443, and only communicates to EcoStruxure IT cloud using 40.84.62.190, 23.99.90.28, 52.230.227.202, 52.177.161.233, and 52.154.163.222.   The communication from this outbound connection is always initiated by the Gateway. The Gateway connects to our cloud at regular intervals to check for messages, and then performs actions based on those messages.  Infographic: Learn more about how EcoStruxure IT applies updates to your infrastructure   Authentication All requests coming from the Gateway are signed using a unique private key created on installation and stored in the gateway, making it impossible to impersonate it.   Auto Updates The EcoStruxure IT Gateway features an auto-update functionality ensuring that the software security patching happens automatically and that the Gateway is always up-to-date. During the update, the Gateway continues to communicate sensor data and alarms to the cloud, minimizing downtime.   See also EcoStruxure IT security Application security Data privacy  Data center and network security  Subprocessors and subcontractors for EcoStruxure IT   

Schneider Electric is committed to securely develop and test against security threats to ensure customer data safety. Furthermore, Schneider Electric continuously employs a rotating number of 3rd party certified hackers to perform detailed penetration tests of the entire EcoStruxure IT platform.   Secure development   Security training All new EcoStruxure IT software developers attend a mandatory security training which is given upon hire and every year after that. Additionally, they can choose to enroll in a White Hat Hacker training to receive the Ethical Hacker certification.   Peer review Any change to the EcoStruxure IT platform is subjected to a mandatory peer review where code and infrastructure changes are reviewed by at least one other engineer in order to validate code quality, security and performance.   All changes are tracked using a version control system (GIT) to ensure history, traceability and audit tracking.   Separate Environment EcoStruxure IT testing environments are physically isolated from the Production environment.   Application vulnerabilities   Dynamic Vulnerability Scanning Schneider Electric uses several third-party security tools to continuously dynamically scan the EcoStruxure IT platform for vulnerabilities. Schneider Electric maintains a committed security team to handle results and work with engineering teams to remediate issues.   Static Code Analysis All changes to source code are continuously scanned for bugs, security and license issues via static analysis tooling. Any source code change which doesn’t meet the EcoStruxure IT standards will be returned to the development team for improvement.   Third Party Security Penetration Testing Schneider Electric continuously employs a rotating number of third party certified hackers to perform detailed penetration tests on all components of EcoStruxure IT (gateway, mobile and web app). When new features are released, mission statements are handed to security experts to verify feature security.  Learn more about our security test report sharing policy   Incident Response The Schneider Electric Corporate Product Cyber Emergency Response Team (CPCERT) has defined vulnerability management processes to ensure efficient incident response. To report an incident, please contact your local Customer Care Center.   If you’re a researcher, please report a cybersecurity vulnerability here.   All vulnerability disclosures are reported on the Schneider Electric Cybersecurity Support Portal.   XSS Protection (Incident Validation) In accordance with industry best practices, we use strict procedures for output sanitization of all user input. This is enforced in part by static code analysis and also by using well known, tried and tested third party frameworks.   See also EcoStruxure IT security Product security features  Data privacy  Data center and network security  Subprocessors and subcontractors for EcoStruxure IT 

For a list of impacted products and remediations, please refer to Schneider Electric's security bulletin which contains the most up to date information: https://www.se.com/ww/en/download/document/SEVD-2022-067-02/   Based on the current information and analysis available, the EcoStruxure IT Gateway is not impacted by the TLStorm vulnerabilities.   CVE-2022-22806 and CVE-2022-22805  The IT Gateway uses a different TLS implementation than the affected UPSs. These vulnerabilities have not been discovered in that toolchain.   CVE-2022-0715 The EcoStruxure IT Gateway uses different authentication mechanisms and does not have user installable firmware like a UPS.   The IT Gateway does facilitate firmware updates to the NMC on the UPS, via the secure EcoStruxure IT Expert cloud application only, using officially released firmware packages.  It does not have the ability to update the firmware on the UPS itself.   IT Expert Device Security assessment   The Device Security assessment in IT Expert includes a TLStorm analysis. For the most accurate device analysis, be sure to keep your APC Network Management Card (NMC) firmware up to date and your Gateway updated to the latest version.

On October 25th, 2022, the OpenSSL project team announced that the forthcoming version 3.0.7 would be released on November 1, 2022 to address a critical severity vulnerability affecting OpenSSL versions 3.0 and newer.   Schneider Electric is aware of two vulnerabilities tracked as CVE-2022-3786 and CVE-2022-3602 in the third-party component, OpenSSL. We are working to assess how these vulnerabilities impact Schneider Electric offers.   We recommend customers implement cybersecurity best practices across their operations as outlined in the Schneider Electric Recommended Cybersecurity Best Practices document.   For a list of impacted products and remediations, please refer to Schneider Electric's security bulletin which contains the most up to date information: https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp   As additional information related to this vulnerability presents, products could move from non-impacted to impacted status.   Based on the current information and analysis available, the following products are not impacted by the OpenSSL vulnerability:   Data Center Expert (DCE) EcoStruxure IT Gateway and Gateway Appliance EcoStruxure IT Expert (ITE) IT Advisor (ITA) (hosted and on premise) Data Center Operations (DCO) NetBotz v4.x (355, 450, 455, 550, 570) NetBotz v5.x (750, 755) NetBotz 250 NetBotz Wireless Sensor Update Utility

A critical severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j library was disclosed on December 9, 2021.   For EcoStruxure IT Expert and a list of impacted products and remediations, please refer to Schneider Electric's security bulletin which contains the most up to date information: https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp   Based on the current Log4j information and analysis available, the following products are not impacted by the Log4j CVE-2021-44228 vulnerability.   Data Center Expert (DCE) IT Advisor (ITA) (hosted and on premise) Data Center Operations (DCO) NetBotz 250 NetBotz v4.x (355, 450, 455, 550, 570) Network Management Cards: AP9630/AP9630CH/AP9630J AP9631/AP9631CH/AP9631J AP9635/AP9635CH AP9640/AP9640J AP9641/AP9641J AP9643 Any device which includes Network Management Card Technology. Easy UPS Network Management Cards: APV9601 APV9602 EcoStruxure TM Ready Smart-UPS (SmartConnect) PowerChute TM Personal Edition (Desktop shutdown software for Back-UPS).

Cybersecurity The Schneider Electric Cybersecurity Portal is the single source for up-to-date information about cybersecurity vulnerabilities and incidents for installed solutions including EcoStruxure IT Gateway.   To stay informed, register to receive email notifications for new releases and updated security information.   See also Application security  Product security features  Data privacy  Data center and network security  Subprocessors and subcontractors for EcoStruxure IT