[Imported] Spectre Vulnerability and Trio Chipsets ?


[Imported] Spectre Vulnerability and Trio Chipsets ?

>>Message imported from previous forum - Category:Trio Data Radios<<
User: joelw, originally posted: 2018-10-17 23:15:46 Id:129
This is a re-posting from the obsoleted (October 2018) "Schneider Electric Telemetry & SCADA" forum.


I just asked the same question in the SCADAPack section, but I'm also curious about the Trio radios. Are the Chipsets a potential vulnerability? If so are security patches in the works? If not please explain._**


I'm not sure you really understand the Spectre vulnerability (or the Meltdown vulnerability which is more important as it provides the actual exploit pathway).

The SCADAPack should only ever be executing your own pre-approved code, so the possibility of code privilege escalation should not be a factor. If you have a SCADAPack that executes arbitrary code via Javascript or something, please let me know.. it sounds cool.

The Trio radio should only ever be executing Schneider developed pre-approved code, so again the possibility of code privilege escalation should not be a factor. Again, if you know of a way to have a Trio radio execute arbitrary code let me know.

Perhaps you can detail what you think the Spectre vulnerability is about...
And what the possible impact would be on your SCADAPack and Trio Radio?

Spectre / Meltdown is important in regards to the security of 'secrets' within the Telemetry space... but there are much more credible threats that should have actions applied against them before you start to worry about Spectre / Meltdown.


I found:
[https://ds9a.nl/articles/posts/spectre-meltdown/](https://ds9a.nl/articles/posts/spectre-meltdown/ "https://ds9a.nl/articles/posts/spectre-meltdown/")
a great read on Spectre and Meltdown


Again forgive me for my ignorance on the subject. Really just didn't know what chipsets are in these products so I can tell customers "they are safe and not affected by this". I was not aware of the code privilege escalation and was simply interested in the affected chipsets.
I have sent my customers the security notification that was sent by the Schneider Clearscada Product team. It was very clear and helpful. I do not have any javascript code...I will get right on that!
Thanks for your time!_**


Note that Schneider's comment on these vulnerabilities (and others now and into the future) are at https://www.schneider-electric.com/en/work/support/cybersecurity/security-notifications.jsp, whilst there perhaps isn't anything technically specific there for now I expect there would be updates as necessary


Got this reply from Trio Engineering:

**"While the Trio J & Q CPUs are technically vulnerable, the exploit appears not to be possible, as we do not permit installation and execution of 3rd party (attacker) software." **

SE's notification regarding Spectre is posted here. Customers can monitor it for updates:
[https://www.schneider-electric.com/en/download/document/SEVD-2018-005-01/](https://www.schneider-ele... "https://www.schneider-electric.com/en/download/document/SEVD-2018-005-01/")