Security Experts:

Connect with us

Hi, what are you looking for?



Vulnerability Allows Hackers to Take Control of ABB Substation Protection Devices

A critical vulnerability affecting some Relion protection devices from ABB can be exploited to take control of a device or cause it to become inoperable, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) warned last week.

A critical vulnerability affecting some Relion protection devices from ABB can be exploited to take control of a device or cause it to become inoperable, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) warned last week.

The flaw affects Relion 670 series devices made by Swiss-based industrial technology solutions provider ABB. These products provide protection and control capabilities for electrical substations and, according to CISA, they are used worldwide in the energy and critical manufacturing sectors.

Advisories published by CISA and ABB — ABB published an advisory on October 22 — the security hole is tracked as CVE-2019-18253 and it has a CVSS score of 10. An attacker who has network access to the device can exploit the flaw using specially crafted messages that abuse the fopen or fdelete functions to read or delete files from the device.ABB Relion protection device vulnerability

The vulnerability is related to the IEC 61850 standard, which defines communication protocols for intelligent devices at electrical substations. More specifically, the issue involves the Manufacturing Message Specification (MMS), which is used for transferring real time process data and supervisory control information between devices.

ABB has released updates that should patch the vulnerability and as a workaround it has advised customers to disable the IEC 61850 protocol if it’s not used. The company says it has seen no evidence that the vulnerability has been exploited for malicious purposes.

Learn More About Vulnerabilities in Industrial Products at SecurityWeek’s 2020 ICS Cyber Security Conference

Kirill Nesterov, head of reverse engineering at Kaspersky and the researcher who discovered the vulnerability, told SecurityWeek that the filesystem of affected Relion devices contains two types of files, ones related to general functioning and ones designed to support processes, such as power relay protection in the substation.

“Reading configuration files provides information on which services are running, along with read/delete access for executable files providing monitoring, configuration and core operating functions,” Nesterov explained.

According to the researcher, an attacker can exploit the vulnerability to obtain sensitive information, such as usernames and passwords, which can be leveraged to gain full control of the targeted device.

Process-related files, which are typically in the SCL (Substation Configuration Language) format, can also contain information that is valuable to an attacker.

“They describe the operations of the digital substation and can provide insights on infrastructure, industrial process and safety settings for protection relay devices. Here is just one example of how electricity (power) related data is configured through these files,” Nesterov said.

Exploiting the vulnerability to delete files can also pose a serious threat. Removing files and causing a denial-of-service (DoS) condition on the device will prevent the operator from controlling the system and can result in safety features being disabled, for example, causing the device to not react to a short circuit on the power line.

Experiments conducted by Nesterov showed that removing certain files can cause the device to become inoperable until its firmware is reinstalled. However, he noted that it would not be easy for an attacker to cause serious damage at a substation.

“Most of the safety-related scenarios are not straightforward, as everything is duplicated on the substation,” he explained. “Also, taking into account the type of entity receiving the power, there could be several substations powering the same entities to guarantee power availability.”

“The most critical aspect of the vulnerability was that it provided the means to gain full access to the device where one could control the power line connected to the power relay protection device, or gain persistence on the device for later process impact,” Nesterov said.

CISA also reported last week that Relion 650 and 670 series devices are affected by a medium-severity vulnerability that can be exploited to cause devices to reboot. While the device is rebooting, its primary functionality is not available. This issue was reported to ABB by researchers at ScadaX.

Related: Vulnerability in ABB Plant Historian Disclosed 5 Years After Discovery

Related: Critical Flaw in GE Protection Relays Exposes Power Grid

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.