GE bug could allow hackers to ‘disconnect sectors of the power grid’
Image credit: Dreamstime
General Electric Co (GE) is fixing a bug in their software, after researchers revealed a vulnerability in their outdated management system which could allow hackers to disconnect parts of their power grid.
The vulnerability in GE’s software was uncovered by three New York security experts, who report that they found the bug in the software which controls the flow of electricity in its power system
“We completely broke the home brew encryption algorithm used by these protection and management devices to authenticate users and allow privileged operations. Knowledge of the passcode enables an attacker to completely pwn the device and disconnect sectors of the power grid at will, locking operators out to prolong the attack,” the researchers wrote in an online abstract.
The trio are expected to present further details of their findings at the Black Hat USA conference in Las Vegas in July, a major information security event.
This vulnerability could allow hostile parties to gain access to and control GE protection relays. Protection relays trigger a circuit breaker to interrupt power transmission when a fault is detected. This prevents damage to the circuit due to excess current.
GE spokesperson Annette Busateri said that the company was not aware of any instances of the bug being exploited to cause power outages. The protection relays which could be affected are outdated, she reported, having been introduced in the 1990s “before current industry expectations for security”.
Given that the electricity industry runs on systems for many decades before upgrading to new technologies, these relays are still in widespread use.
Ms Busateri said that GE had issued patches for five of the six models affected by the vulnerability and is due to release the sixth patch soon.
“We have been in the process of issuing notifications and providing product upgrades to our affected customer base on available firmware updates to address this issue.”
Given a background of more frequent cyber attacks between nation states, awareness of cyber warfare and its impact on citizens is growing. In December 2015, Russian hackers carried out an attack on the Ukrainian power grid, compromising the systems of three energy distribution companies and disrupting the electricity supply. In December 2016, another cyber attack led to a temporary blackout as whole sections of Kiev’s power grid were wiped out.
More recently, a Russian hacking operation dubbed Grizzly Steppe was found to have interfered in the Vermont utility system.