Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Here’s How Security Flaws in GE Relays Could Be Exploited in Real World Attacks

Organizations using Universal Relay (UR) products made by GE’s Grid Solutions have been informed this week that many of the devices in this product line are affected by nearly a dozen vulnerabilities.

Organizations using Universal Relay (UR) products made by GE’s Grid Solutions have been informed this week that many of the devices in this product line are affected by nearly a dozen vulnerabilities.

Grid Solutions is a GE Renewable Energy business that provides electricity management solutions for the energy sector, including oil and gas, as well as industry and infrastructure organizations.

Advisories published this week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and GE Grid Solutions (account required) inform customers that more than a dozen UR protection and control relays are impacted by a series of vulnerabilities to which 10 different CVE identifiers have been assigned. The vendor has released firmware updates that should patch the vulnerabilities.

GE grid relay vulnerabilitiesThe flaws are related to inadequate encryption of communications, exposure of potentially sensitive information, cross-site scripting (XSS) attacks, denial-of-service (DoS) attacks, unauthorized firmware uploading, the inability to disable a factory service mode, and the presence of hardcoded credentials in the bootloader. More than half of the vulnerabilities have a severity rating of high or critical.

Researchers from SCADA-X, Verve Industrial, VuMetric and the Department of Energy’s Cyber Testing for Resilient Industrial Control Systems (CyTRICS) program have been credited for finding the security holes.

Ron Brash, director of cyber security insights at ICS management and cybersecurity provider Verve Industrial Protection, told SecurityWeek that he has identified two or possibly three of the vulnerabilities — he says it’s difficult to say exactly due to multiple disclosures and some likely overlap. These include flaws that can be exploited to upload malicious firmware to the device, obtain potentially sensitive information, and access a device or disrupt it.

According to Brash, exploitation of these vulnerabilities requires direct or network access to the targeted system.

Advertisement. Scroll to continue reading.

“Generally these devices are not found on the Internet directly unless someone has not applied any secure deployment strategies, or has inadvertently misconfigured various network infrastructure devices/security apparatuses,” he explained.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

In terms of impact, the expert pointed out that while the vulnerable relays are used within the energy industry, they are not limited to the “grid.”

“For example, a mine may be generating power, and these types of devices might be present,” Brash explained. “This can mean that the results or motivations of what ‘an attacker could do’ might be situationally dependent, or require specific contexts. Therefore, in continuation of the example, if your mine needs energy to keep liquids unfrozen (e.g., washes, effluent management systems, etc), and the mine is located in Canada’s North, then you might have a BIG problem during winter. Secondly, if you can get access to these devices, and upload your own logic or firmware, then you can effectively brick them, upload malicious functionality, and the consequences will be highly negative.”

He added, “I don’t wish to speculate as to the motives, or what could be accomplished by an attacker, but if exploited at scale (which by the way, takes a great level of skill, budget, and organization) – nothing positive would result.”

Contacted by SecurityWeek, GE said it’s currently not aware of any attacks exploiting these vulnerabilities.

“GE was made aware of vulnerabilities related to GE’s Grid Solutions’ Universal Relay (UR) family products and immediately worked to assess any potential impact and remediate the reported vulnerabilities. GE’s UR firmware Version 8.10 and greater resolve the identified vulnerabilities, and we encourage our customers to visit the Grid Solutions customer portal and/or the CISA Advisory for additional information and mitigation recommendations,” said a GE spokesperson.

Related: Critical Flaw in GE Protection Relays Exposes Power Grid

Related: Over 100 GE Healthcare Devices Affected by Critical Vulnerability

Related: Open Source Tool Helps Organizations Secure GE CIMPLICITY HMI/SCADA Systems

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

Mark Carter has been appointed Chief Information Security Officer at Socure.

Spektrum Labs has named Mark Cravotta Chief Operating Officer.

More People On The Move

Expert Insights

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.