Welcome to the new Schneider Electric Community

It's your place to connect with experts and peers, get continuous support, and share knowledge.

  • Explore the new navigation for even easier access to your community.
  • Bookmark and use our new, easy-to-remember address (community.se.com).
  • Get ready for more content and an improved experience.

Contact SchneiderCommunity.Support@se.com if you have any questions.

Close
Invite a Co-worker
Send a co-worker an invite to the Exchange portal.Just enter their email address and we’ll connect them to register. After joining, they will belong to the same company.
Send Invite Cancel
84702members
354078posts

PM8000 - Perceived security flaws and general security

Metering & Power Quality

Collaborate with multiple experts and discuss various topics about Power Meters and Power Quality. From design & implementation to troubleshooting and more, get support from experts and share your experiences by subscribing to the Schneider Electric Exchange forum today.

Solved
Rich_Lannaghan
Commander | EcoXpert Master Commander | EcoXpert Master
Commander | EcoXpert Master
0 Likes
1
488

PM8000 - Perceived security flaws and general security

 

 We have a client who has done a vulnerability scan on the network where we have a few devices connected to their network (specification was for an integrated building network) the one device that's causing issues for us is the PM8000 and they are classing the below from their reports as flaws or vulerabilities,

 

Vulnerability in bold, suggested remidiation in italics

 

1. IP Forwarding Enabled "On Linux, you can disable IP forwarding by doing :
echo 0 > /proc/sys/net/ipv4/ip_forward
On Windows, set the key 'IPEnableRouter' to 0 under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
On Mac OS X, you can disable IP forwarding by executing the command :
sysctl -w net.inet.ip.forwarding=0
For other systems, check with your vendor."

2. Modbus/TCP Coil Access Restrict access to the Modbus port (TCP/502) to authorized Modbus clients

 

3. Modbus/TCP Discrete Input Access Restrict access to the Modbus port (TCP/502) to authorized Modbus clients.

 

4. Modbus/TCP Device Identification Restrict access to the Modbus port (TCP/502) to authorized Modbus clients.

 

4. Web Application Potentially Vulnerable to Clickjacking - "Return the X-Frame-Options or Content-Security-Policy (with the 'frame-ancestors' directive) HTTP header with the page's response.This prevents the page's content from being rendered by another site when using the frame or iframe HTML tags."

5. Web Server Transmits Cleartext Credentials Make sure that every sensitive form transmits content over HTTPS.

We have had discussions with them and highlighetd the fact that we can't run the commands they are suggesting, i also cant see a way of filtering the TCP requests to specific IP's

 

The webserver is easy enough to sort as i can just shut it down on the meter but the others are proving more of an issue, I have suggested that all these should be fixed by them using their firewalls and routed network but that's falling on deaf ears, all i get is "speak to the manufacturer and request a fix"

 

Any ideas or suggestions for a way to try and solve these issues or is there some settings hidden in the PM8000 that we can indeed use to sort the above ?

 

 


Accepted Solutions
Cliff_Schubert
Lieutenant JG Lieutenant JG
Lieutenant JG
0 Likes
0
482

Re: PM8000 - Perceived security flaws and general security

(*this comment and response was also posted in the EcoStruxure Power Monitoring Expert area - https://exchangecommunity.schneider-electric.com/t5/EcoStruxure-Power-Monitoring/PM8000-Perceived-se...)

 

Hi Rich,

 

#1 IP forwarding is fixed in PM8000 firmware version 1.4.3
https://www.schneider-electric.com/en/download/document/PM8000_V001.004.003/

#2-4 - Modbus TCP can be configured to be disabled, read-only mode, and read-write mode. By default it is in read-only mode, set by the 'Allow Modbus Programming' option in the Security Options module.

Can you elaborate more on the end-users' concern with the available options?

#4 - Web page Clickjacking - noted and we are able to confirm the issue.

#5 - HTTPS support is part of the next PM8000 release, tentatively scheduled for early 2019. As you suggest, it can also be disabled if the user is not using that feature.

 

Thanks - Cliff

See Answer In Context

1 Reply 1
Cliff_Schubert
Lieutenant JG Lieutenant JG
Lieutenant JG
0 Likes
0
483

Re: PM8000 - Perceived security flaws and general security

(*this comment and response was also posted in the EcoStruxure Power Monitoring Expert area - https://exchangecommunity.schneider-electric.com/t5/EcoStruxure-Power-Monitoring/PM8000-Perceived-se...)

 

Hi Rich,

 

#1 IP forwarding is fixed in PM8000 firmware version 1.4.3
https://www.schneider-electric.com/en/download/document/PM8000_V001.004.003/

#2-4 - Modbus TCP can be configured to be disabled, read-only mode, and read-write mode. By default it is in read-only mode, set by the 'Allow Modbus Programming' option in the Security Options module.

Can you elaborate more on the end-users' concern with the available options?

#4 - Web page Clickjacking - noted and we are able to confirm the issue.

#5 - HTTPS support is part of the next PM8000 release, tentatively scheduled for early 2019. As you suggest, it can also be disabled if the user is not using that feature.

 

Thanks - Cliff