Executive Summary
Schneider Electric Easergy MiCOM Px40 Series protection relays expose basic device identification through the SNMP protocol without adequate access control, allowing an unauthenticated actor with network reach to enumerate relay identity and firmware attributes. These are the relays that trip breakers on medium, high, and extra high voltage feeders, so even a low-severity disclosure feeds directly into targeting of the assets that keep the grid inside its physical operating envelope.
Technical Exposure Breakdown
The vulnerable component is the SNMP service running on the Px40 platform, which spans the P40 Agile family used for feeder, transformer, generator, and busbar protection. The reported condition is information disclosure of basic device identification data. This is not a memory corruption or remote code execution primitive. It is a reconnaissance-grade flaw, and it should be treated as one.
The attack vector is network access to the SNMP interface, typically UDP port 161. In most substation deployments SNMP was enabled for network management system polling and never hardened. Default or weak community strings, most commonly public for read access, are still routine in the field. An actor who has reached the station bus or process bus, or who has pivoted from a compromised engineering workstation, can query the relay and pull identity fields that confirm exact model and firmware revision.
The condition required is simply reachability plus a valid or default community string. No authentication bypass is needed because SNMP v1 and v2c authenticate only on the community string, which is transmitted in cleartext and often shared across an entire fleet. That is the real exposure. The disclosed data by itself is low value. The disclosed data mapped against a vulnerability database that tracks 25,000+ ICS CVEs across 175,000+ OT products is a firmware fingerprint that lets an adversary select the next exploit with precision.
OT Impact and Compliance Risk
Nothing in this advisory causes a relay to misoperate on its own. The physical risk is second order. A protection relay that has been fingerprinted is a relay whose known weaknesses can be matched to its exact build, which shortens the path from access to manipulation of protection settings or trip logic. Misconfigured or maliciously altered protection functions can cause failure to trip on a real fault, or nuisance trips that de-energize load, both of which have direct consequences for grid stability.
For compliance, IEC 62443 zone and conduit requirements are the primary lens here. An SNMP service reachable outside its intended management conduit is a boundary failure. Under NERC CIP, this touches CIP-005 electronic security perimeter controls and CIP-007 system security management, specifically ports and services and the disabling of unused network accessible functions. An enabled SNMP service that leaks identity data is exactly the kind of unnecessary port and service that CIP-007 requires operators to justify or disable. Auditors will ask why it is on and what community strings protect it.
Compensating Controls
Do not treat firmware update as the first move. On a live substation, patching a protection relay is a scheduled maintenance activity with test procedures, not a same-day action. Active scanning to inventory affected relays is also dangerous, since aggressive SNMP polling or port sweeps can lock up or destabilize embedded protection hardware. Passive inventory and configuration review are the correct starting point.
- Disable SNMP on relays where no network management system consumes the data. This is the cleanest control and directly satisfies CIP-007 ports and services hygiene.
- Where SNMP is required, move to SNMP v3 with authentication and encryption, and eliminate v1 and v2c community strings. If the platform does not support v3, restrict the service to a dedicated management VLAN with strict access control lists.
- Segment the management plane. SNMP polling should traverse a defined conduit between the relay and the NMS only, never the general station network.
- Deploy a virtual patch at the segmentation boundary. A Suricata rule concept: alert on UDP 161 traffic sourced from any host outside the authorized NMS address set toward relay subnets, and alert on SNMP GET requests carrying the
publicorprivatecommunity string. This gives detection without touching the relay.
Rotate any shared community strings and audit which hosts have ever polled these relays. A fingerprinting attempt is a strong early indicator of staged reconnaissance.
BreachSpider Intel
BreachSpider tracks exposure and exploitation signals across the OT product landscape so operators can prioritize protection relay hardening before a reconnaissance flaw becomes a targeting map.