Security Experts:

Vulnerability Allows Hackers to Take Control of ABB Substation Protection Devices

A critical vulnerability affecting some Relion protection devices from ABB can be exploited to take control of a device or cause it to become inoperable, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) warned last week.

The flaw affects Relion 670 series devices made by Swiss-based industrial technology solutions provider ABB. These products provide protection and control capabilities for electrical substations and, according to CISA, they are used worldwide in the energy and critical manufacturing sectors.

Advisories published by CISA and ABB — ABB published an advisory on October 22 — the security hole is tracked as CVE-2019-18253 and it has a CVSS score of 10. An attacker who has network access to the device can exploit the flaw using specially crafted messages that abuse the fopen or fdelete functions to read or delete files from the device.ABB Relion protection device vulnerability

The vulnerability is related to the IEC 61850 standard, which defines communication protocols for intelligent devices at electrical substations. More specifically, the issue involves the Manufacturing Message Specification (MMS), which is used for transferring real time process data and supervisory control information between devices.

ABB has released updates that should patch the vulnerability and as a workaround it has advised customers to disable the IEC 61850 protocol if it’s not used. The company says it has seen no evidence that the vulnerability has been exploited for malicious purposes.

Learn More About Vulnerabilities in Industrial Products at SecurityWeek’s 2020 ICS Cyber Security Conference

Kirill Nesterov, head of reverse engineering at Kaspersky and the researcher who discovered the vulnerability, told SecurityWeek that the filesystem of affected Relion devices contains two types of files, ones related to general functioning and ones designed to support processes, such as power relay protection in the substation.

“Reading configuration files provides information on which services are running, along with read/delete access for executable files providing monitoring, configuration and core operating functions,” Nesterov explained.

According to the researcher, an attacker can exploit the vulnerability to obtain sensitive information, such as usernames and passwords, which can be leveraged to gain full control of the targeted device.

Process-related files, which are typically in the SCL (Substation Configuration Language) format, can also contain information that is valuable to an attacker.

“They describe the operations of the digital substation and can provide insights on infrastructure, industrial process and safety settings for protection relay devices. Here is just one example of how electricity (power) related data is configured through these files,” Nesterov said.

Exploiting the vulnerability to delete files can also pose a serious threat. Removing files and causing a denial-of-service (DoS) condition on the device will prevent the operator from controlling the system and can result in safety features being disabled, for example, causing the device to not react to a short circuit on the power line.

Experiments conducted by Nesterov showed that removing certain files can cause the device to become inoperable until its firmware is reinstalled. However, he noted that it would not be easy for an attacker to cause serious damage at a substation.

“Most of the safety-related scenarios are not straightforward, as everything is duplicated on the substation,” he explained. “Also, taking into account the type of entity receiving the power, there could be several substations powering the same entities to guarantee power availability.”

“The most critical aspect of the vulnerability was that it provided the means to gain full access to the device where one could control the power line connected to the power relay protection device, or gain persistence on the device for later process impact,” Nesterov said.

CISA also reported last week that Relion 650 and 670 series devices are affected by a medium-severity vulnerability that can be exploited to cause devices to reboot. While the device is rebooting, its primary functionality is not available. This issue was reported to ABB by researchers at ScadaX.

Related: Vulnerability in ABB Plant Historian Disclosed 5 Years After Discovery

Related: Critical Flaw in GE Protection Relays Exposes Power Grid

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.