A critical vulnerability that affects some of GE’s protection relays poses a serious threat to the power grid, researchers have claimed. The vendor has started releasing patches for the security hole.
A team of researchers from New York University said they identified a severe flaw in some of GE’s Multilin SR protection relays, which are widely deployed in the energy sector. The experts will detail and demonstrate an exploit at the upcoming Black Hat conference in Las Vegas, but they have shared some information on their findings.
“Essentially, we completely broke the home brew encryption algorithm used by these protection and management devices to authenticate users and allow privileged operations,” the experts wrote in their abstract for the conference. “Knowledge of the passcode enables an attacker to completely pwn the device and disconnect sectors of the power grid at will, locking operators out to prolong the attack.”
In an advisory published on Thursday, ICS-CERT said the remotely exploitable vulnerability, tracked as CVE-2017-7905, is related to the use of non-random initialization vectors when encrypting passwords, which exposes them to dictionary attacks.
An attacker who can obtain the password — either from the front LCD panel or via Modbus commands — can hijack the affected device.
ICS-CERT reported that the flaw affects the 750 and 760 Feeder Protection Systems, 369 and 469 Motor Protection Relays, 745 Transformer Protection Relays, and 489 Generator Protection Relays.
GE has already released firmware updates that address the vulnerability for most of these devices, except for 369 Motor Protection Relays, for which patches are expected to become available in June.
The vendor has also advised users to follow physical and network security best practices to prevent exploitation of the flaw, including keeping the devices in a secure environment, removing passwords for decommissioned devices, implementing network segmentation, and monitoring the network for malicious activity.
GE has released an advisory, but it’s only available to customers. The company told SecurityWeek that the affected products are “a limited family of legacy GE products that were developed in the 1990s before current industry expectations for security.” GE said it was not aware of any incidents where the security hole had been exploited.
While the recent disruptions to Ukraine’s energy supply have clearly demonstrated that attacks on the power grid are a reality, it’s not uncommon for cybersecurity researchers to exaggerate the impact of their findings. It remains to be seen exactly how easily this flaw can be exploited after more information is made available.
*Correction: Initial article had error on CVE ID: Corrected to CVE-2017-7905