Relay Race: Getting a Handle on Known Risks in the GE UR Family

Verve research featured in ICS-CERT warning on GE’s popular line of advanced protection and control relays. Here’s what asset owners need to know.

Photo by Andrey Metelev on Unsplash

ICS-CERT this week issued an advisory detailing nine critical vulnerabilities affecting GE’s Universal Relay (UR) Family including several that could allow an attacker to access sensitive information, reboot the devices, gain privileged access, or crash the system via denial-of-service.

The vulnerabilities in ICSA-21–075–02 affect GE’s B30, B90, C30, C60, C70, C95, D30, D60, F35, F60, G30, G60, L30, L60, L90, M60, N60, T35, T60 relays and carry an aggregate CVSS score of 9.8. Researchers at Verve Industrial as well as teams from SCADA-X, VuMetric, and the U.S. Department of Energy’s Cyber Testing for Resilient Industrial Control Systems (CyTRICS) program contributed individual discoveries to the multi-part advisory.

Verve researchers found that the GE products in question could allow unrestricted file uploads via the official OEM tool, including unsigned and unvalidated firmware. The Verve team also reported exposure of sensitive information (insecure Modbus functions and non-standard behavior) and the presence of hard-coded credentials in the associated bootloader that could be leveraged by an attacker when interrupting the boot sequence.

Other issues covered in the advisory include inadequate encryption, weaknesses in SSH implementation, use of insecure HTTP, poor input validation, and an inability to disable the devices’ factory service mode.

To mitigate the risks associated with ICSA-21–075–02, GE recommends updating UR devices to firmware Version 8.10 or higher. GE provides additional information on mitigation for registered users in their publication GES-2021–004.

Beyond the OEM’s specific recommendations, when it comes to significant advisories like this, we always recommend a calm, measured approach with a healthy dose of security basics. Some things to keep in mind when vulnerabilities make headlines:

Advisories such as these are concerning, but no cause for panic. GE UR devices are responsible for the safe and reliable creation of energy after all, so their security weaknesses certainly deserve our full attention. As always, we suggest a balanced and realistic approach to remediation consistent with the vendor’s recommendations.

On top of that, a layered-defense approach goes a long way toward safeguarding any affected organization. Asset owners should always be maintaining accurate, detailed inventories, keeping up with patching and updates, disabling unnecessary functionality, and monitoring for abnormal behavior.

These security fundamentals, coupled with controls on both physical and remote access to systems and devices, constitute an effective first line of protection for OT/ICS environments no matter what new threat is making news on any given day.

Ron Brash, Director of Cyber Security Insights

Originally published at https://verveindustrial.com/resources/blog/relay-race-getting-a-handle-on-known-risks-in-the-ge-ur-family/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store