Posted by Robert Vamosi on September 19, 2016
ICS-CERT says power meters from two manufacturers are vulnerable to remote cross-site request forgery attacks (CSRF) and/or compromise.
In one advisory, ICS-CERT cited Schneider Electric’s ION Power Meter products. A remote attacker using CSRF could perform unauthorized actions on the affected devices, such as configuration parameter changes or saving modified configuration. Models affected include ION 73xx, ION 75xx, ION 76xx, ION 8650, ION 8800, and PM5xxx. Schneider Electric is working with ICS-CERT to remediate the situation. Short term, customers should disable web-facing features and locate the product behind a firewall. Also, Schneider Electric said devices do not force a change of password upon installation of the device and recommends that users change the passwords from the default setting.
In another ICS-CERT alert disclosed exploit code was available in the wild for FENIKS PRO Elnet LT Energy & Power analyzer. This code could allow attackers to manage the device without authentication. Unlike Schneider which is working with ICS-CERT on a solution, FENIKS PRO has not acknowledged the exploit code. ICS-CERT issued this alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other cybersecurity attacks. For mitigation, ICS-CERT recommends disable web-facing services and locate the product behind a firewall. ICS-CERT also recommends changing the password on Elnet LT Energy & Power.