GE patches flaws allowing attackers to ‘disconnect power grid at will’

Researchers have discovered a significant software flaw in the energy grid equipment sold by General Electric (GE) that could allow even lone attackers with limited resources to “disconnect sectors of the power grid at will”.

Until last week, this alarming sentence was little more than a one part of a placeholder for July’s Black Hat conference, advertising a session by three researchers from New York University.

Last week, however, GE suddenly announced that it had issued fixes for five of the six flaws, with the last on its way.

Black Hat sessions specialise in telling the world about new flaws and proof-of-concept attacks, but it is unusual in this sector for the mere publication of a public presentation to spur PR into action like this.

The researchers have only released the barest details of the issue but we know it is in the General Electric Multilin product line. Boasts the Black Hat briefing note:

Essentially, we completely broke the homebrew encryption algorithm used by these protection and management devices to authenticate users and allow privileged operations.

This doesn’t sound good, nor the fact that the researchers promise a live demo of the compromise as part of a “budget” attack.

The importance of this being the fact that “to date, cyber-attacks against power systems are considered to be extremely sophisticated and only within the reach of nation-states”.

The two best documented energy grid attacks – the 2015 and 2016 attacks on Ukrainian power stations – were pinned on hackers backed by the resources of a nation state. If the sessions serves up something that would be possible by anyone, even that that assumption will start to wilt.

GE reacted by telling Reuters:

We have been in the process of issuing notifications and providing product upgrades to our affected customer base on available firmware updates to address this issue.

The flaw had not been used to cause power outages and only involved GE protection relays dating from the 1990s, “before current industry expectations for security”.

One might point out that energy infrastructure installed in the 1990s by vendors such as GE will still affect a lot of equipment in the US and beyond. Finding and patching that equipment could take a lot of effort for an industry not used to the luxury of downtime.

The counter-argument is that compromising energy systems still requires a lot of understanding of the target. It’s not clear that a bedroom attacker would have the ability to do this, nor the ability to exploit all aspects of the attack remotely.

It does at least serve to remind us how security researchers have gone from being nuisance to saviour.  Patching energy grid systems is the sort of problem the world must find a way to live with.