Wednesday, April 7, 2021

Device or Protocol Vulnerability

As I wrote my blog post last night about the latest NCCIC-ICS advisory, I asked myself is this vulnerability unique to the Hitachi ABB devices being reported, or is it a problem with the IEC 61850 protocol implementation being used by Hitachi ABB? This was not a question that I could answer, my knowledge about the grid pretty much ends at the power pole outside of my house, so I ignored the question for the purposes of that post. Unfortunately, it kept nagging at me….

So, this morning, I did a little reading about the IEC 61850 protocol. I found a nice article here from another vendor in the field that gives a rather more technical explanation of what goes on than I need, but it makes me feel slightly more qualified to ask the question and draw some conclusions.

IEC 61850

This protocol is essentially an internet of things communications protocol for devices within a substation. It was designed to allow an almost plug-and-play situation for adding new devices to a substation operation. This eases the engineering burden at the substation and ultimately aids in streamlining operations and probably maintenance. You now have the totality of my understanding of IEC 61850.

Oops, one other thing; IEC 61850 is not a piece of software or firmware. It is a set of complex rules for naming and communications that various vendors are expected to adhere to when developing their own software and firmware for their devices that claim IEC 61850 compatibility.

The Vulnerability

Neither the NCCIC-ICS advisory nor the Hitachi ABB advisories provide much in the way of details about the reported vulnerability. NCCIC-ICS describes it as an ‘improper input validation’ vulnerability while Hitachi ABB notes that the “vulnerability exists in the command handling of the device”. Both make it clear that the vulnerability only exists “only products with IEC 61850 interfaces”. Both, again, note that the attacker must have access to the “IEC 61850 network”.

Protocol Implementation

It would seem to me, therefore, that this is a problem with the implementation of the IEC 61850 protocol in the affected devices. Whether this is a uniquely Hitachi ABB problem remains to be seen. If they use an internally developed implementation, then this could be a unique problem. If they use software developed by someone else, we will almost certainly see similar advisories for other products. Unfortunately, even if this was an internally developed implementation, it could mean problems for other vendors if they make similar errors in the way they interpret the protocol.


Why is this important? The security of electrical distribution systems is important in its own right, but this is another case in point where we can relearn the lesson that the increasing complexity of electronic device interaction and communications increases the attack surface of the systems where those devices are used. There needs to be more attention paid, upfront in the design and even protocol development process to ensuring the secure design of these systems.

No comments:

/* Use this with templates/template-twocol.html */