As I wrote my
blog post last night about the latest NCCIC-ICS
advisory, I asked myself is this vulnerability unique to the Hitachi ABB
devices being reported, or is it a problem with the IEC 61850 protocol
implementation being used by Hitachi ABB? This was not a question that I could
answer, my knowledge about the grid pretty much ends at the power pole outside
of my house, so I ignored the question for the purposes of that post.
Unfortunately, it kept nagging at me….
So, this morning, I did a little reading about the IEC 61850
protocol. I found a nice
article here from another vendor in the field that gives a rather more
technical explanation of what goes on than I need, but it makes me feel
slightly more qualified to ask the question and draw some conclusions.
This protocol is essentially an internet of things
communications protocol for devices within a substation. It was designed to
allow an almost plug-and-play situation for adding new devices to a substation
operation. This eases the engineering burden at the substation and ultimately
aids in streamlining operations and probably maintenance. You now have the
totality of my understanding of IEC 61850.
Oops, one other thing; IEC 61850 is not a piece of software
or firmware. It is a set of complex rules for naming and communications that
various vendors are expected to adhere to when developing their own software
and firmware for their devices that claim IEC 61850 compatibility.
Neither the NCCIC-ICS advisory nor the Hitachi ABB
advisories provide much in the way of details about the reported vulnerability.
NCCIC-ICS describes it as an ‘improper input validation’ vulnerability while
Hitachi ABB notes that the “vulnerability exists in the command handling of the
device”. Both make it clear that the vulnerability only exists “only products
with IEC 61850 interfaces”. Both, again, note that the attacker must have
access to the “IEC 61850 network”.
It would seem to me, therefore, that this is a problem with
the implementation of the IEC 61850 protocol in the affected devices. Whether this
is a uniquely Hitachi ABB problem remains to be seen. If they use an internally
developed implementation, then this could be a unique problem. If they use
software developed by someone else, we will almost certainly see similar
advisories for other products. Unfortunately, even if this was an internally
developed implementation, it could mean problems for other vendors if they make
similar errors in the way they interpret the protocol.
Why is this important? The security of electrical distribution
systems is important in its own right, but this is another case in point where
we can relearn the lesson that the increasing complexity of electronic device
interaction and communications increases the attack surface of the systems
where those devices are used. There needs to be more attention paid, upfront in
the design and even protocol development process to ensuring the secure design
of these systems.