Security vulnerabilities found in Hitachi ABB Power Grids TropOS, Retail Operations, CSB equipment

Power Grids TropOS

The Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday revealed that Hitachi ABB Power Grids TropOS, Retail Operations, and Counterparty Settlement Billing (CSB) equipment contain several security vulnerabilities. The hardware is deployed globally across the critical manufacturing and energy sectors.

Hitachi ABB Power Grids TropOS hardware contains various security weaknesses including injection, inadequate encryption strength, missing authentication for critical function, improper authentication, improper validation of integrity check value, and improper input validation.

“An attacker could use a weakness in the Wi-Fi protocol to implement a man-in-the-middle attack, snooping WiFi frames and appending undetected packet fragments that could be used spoof IP address and/or DNS information. A client connected to a TropOS Wi-Fi access point could directed to fake websites, used to extract sensitive data,” Hitachi ABB Power Grids said in its advisory.

Successful exploitation of these vulnerabilities could allow an attacker to direct a client that is connected to a TropOS Wi-Fi access point to fake websites and extract sensitive data, the CISA advisory said. The security vulnerabilities have been found in Hitachi ABB Power Grids TropOS firmware version and prior. Hitachi ABB Power Grids reported the vulnerabilities to CISA.

To mitigate risks from the Hitachi ABB Power Grids TropOS, the company has advised users to disable the Wi-Fi access on any TropOS unit where local Wi-Fi access is not required. This is achieved by not enabling (or disabling) the local access SSID (Service Set Identifier), the company advisory said. Where Wi-Fi access is required, wherever possible ensure that physical access to the local area is restricted to approved staff only, while using the Wi-Fi whitelist capability to restrict Wi-Fi access to only approved personnel.

As the vulnerability is targeted at an end-user device and generally involves redirection to fraudulent websites, the installation of comprehensive firewall capabilities on company end-user devices and servers will significantly reduce the likelihood of negative outcomes, Hitachi ABB Power Grids said. Although these mitigation strategies will not remediate the underlying vulnerability, they can help block known attack vectors.

Hitachi ABB Power Grids also found an insufficiently protected credential vulnerability in its Retail Operations and CSB equipment. The exploitation of the vulnerability could allow an attacker to access database credentials, shut down the product, and access or alter system data, CISA said in its advisory.

“An attacker who has gained access to an authorized user’s computer could exploit the vulnerability to access database credentials and gain read/edit access to the application data,” the company said in its advisory. “This vulnerability is only exposed if an authorized user’s computer has been accessed independently of the Retail Operations product.”

Retail Operations is a software system used by utilities and energy marketers to estimate load and generation, aggregate load and generation meter data, perform scheduling and energy accounting functions, communicate with market operators, perform wholesale billing and settlement functions, Hitachi ABB Power Grids said. An attacker who exploits the vulnerability could obtain unauthorized access to the database schema. With that information, an attacker could access/remove system data or render the system inoperable. To exploit the vulnerability, it requires the attacker to first obtain access to the user computing environment and network credentials, it added.

Hitachi ABB Power Grids reports this vulnerability affects Retail Operations versions 5.7.2 and prior, and CSB all versions 5.7.2 and prior. “​​A vulnerability associated with a weakness in credential protection on the client environment of Retail Operations version 5.7.2 and prior allows an attacker, or an unauthorized user, who successfully exploits this vulnerability to access database credentials, shut down the product and access or alter system data,” the company said.

Hitachi ABB Power Grids recommends that customers apply the Retail Operations v5.7.3 update at the earliest convenience.

Last week, CISA found security weaknesses in AVEVA Software’s SuiteLink Server equipment, xArrow SCADA hardware, and Siemens’ SINEMA Remote Connect Client equipment.