Vulnerability Allows ABB Substation Security System Control Hackers

ABB Substation Protection Devices

Many ABB Relion defense systems can use a critical vulnerability to take or render a system inoperative, cautioned the DHS Cybersecurity and Infrastructure Security Agency (CISA) last week.

The vulnerability has an effect on Relion 670 series products produced by Swiss industrial solutions supplier ABB. Such devices have electrical substation safety and control capabilities and are used in the power and essential industries worldwide in conjunction with CISA.

CISA and ABB advisories released by the ABB on October 22 are reported as CVE-2019-18253 and have a CVSS score of 10. An attacker who has network access to the device can use specially created messages to abuse fopen or delete files from the device.

The vulnerability is associated with the IEC 61850 standard, which defines communication protocols for electrical substations with intelligent devices. Specifically, the issue is the Manufacturing Message Specification (MMS) used to transfer real-time process data and control information between devices.

ABB has released updates to patch the vulnerability and has advised customers, when not using, to deactivate the IEC 61850. The company says that it has not seen any evidence of the exploitation of vulnerability for malicious purposes. You may use the following free web scanning tool to know the issue directly.

Kirill Nesterov, Kaspersky’s reverse engineering manager, and the researcher who discovered the vulnerability, said that the Relion filesystem contains two types of files: those relating to general operation and those designed to support processes like power relay protection in a substation.

“Reading configuration files provides information on what services are running and read / delete access to executable files that provide control, configurations and core operating functions,” describe Nesterov.

The researcher says that an attacker can take advantage of a vulnerability to gather sensitive information, such as usernames and passwords, so that a targeted device is fully controlled.

Files typically linked to the process in the SCL (Substation Language Configuration) format can also contain information valuable to an attacker.

“They describe the digital substation operations and can provide insights on infrastructure, industrial processes and safety settings for protective relay equipment. Here is only an example of how electricity (power) information is configured via these files, “said Nesterov.

Deleting files may also pose a serious threat by exploiting the vulnerability. Remove files and cause the device to deny service (DoS) condition will prevent the system operator from controlling and may lead to the disabled safety features, for instance, causing the device not to react to a power-line short circuit.

Experiments carried out by Nesterov showed that deleting certain files could make the system inoperative until the firmware has been reinstalled. He noted, however, that it would not be easy for an attacker to cause a substation serious damage.

“Most security scenarios are not straightforward, because everything on the substation is duplicated,” he said. “There could, moreover, be several substations which could power the units to guarantee power availability, considering the type of entity receiving power.” “The most crucial aspect of this vulnerability was that it was the means by which the power line connected to the power relay protection device could have full access or persistence on the device for

CISA also announced last week that Relion 650 and 670 devices were affected by a medium-sized vulnerability to reset phones. Upon rebooting, the system does not have the primary features. Researchers at ScadaX reported this problem to ABB.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.