This afternoon the DHS ICS-CERT published their 15th advisory for a Crain-Sistrunk identified improper input validation vulnerability. This one was for the Orion Master and Slave modules from NovaTech. NovaTech has produced a firmware update that Crain-Sistrunk have verified mitigates the identified vulnerability.
As is typical for this series of advisories, ICS-CERT reports that there are twin vulnerabilities; one affecting IP communications and the other affecting serial communications. The advisory notes that a skilled moderately attacker could remotely exploit the IP vulnerability to execute a denial of service attack. A higher attacker skillset, according to ICS-CERT, would be required to exploit the serial communications vulnerability because either physical access would be required or a social engineering attack would have to be included in the exploit.
While I am not an electrical transmission system engineer, the discussions I’ve seen about the serial communications vulnerability would seem to indicate that certain non-technical skills (cutting a fence or climbing a ladder) would be required to gain physical access to the slave devices, the level of technical skill required to plug in a serial cable is quite low.
BTW, according to the count on the Project Robus web site there are still 10 (or maybe 11, Adam Crain may have lost count of the vulnerable systems) vulnerability reports wending their way through the coordinated disclosure system for nearly identical vulnerabilities. There probably would be more, but Crain-Sistrunk (and now Todorski) have moved on to bigger and better discoveries. Besides, no one wants to catalog all of the systems that are vulnerable because they are based upon a vulnerable library from Triangle Microworks.