author photo
By Bruce Sussman
Mon | Nov 18, 2019 | 11:33 AM PST

It's called the Power Generation Information Manager (PGIM) and its features are used worldwide in industrial sectors including dams, energy, water, agriculture, manufacturing, and chemicals.

Security vulnerability for ABB industrial technology

Now comes word that a critical security vulnerability went years without being fulling addressed.

And it's a vulnerability that CISA lists as being, "Exploitable remotely, requiring a low skill level to exploit," with a CVSS score of 9.8 out of 10.

The vulnerability allows for authentication bypass, which may allow an attacker to remotely bypass authentication and extract credentials from the affected device. In some cases, this could lead to deep penetration of an industrial network.

Swiss-based industrial technology and automation provider ABB is the company behind the vulnerability. 

Industrial security bug goes years without being fully disclosed

SecurityWeek has a fresh angle on this story after it talked to the researcher who alerted the company to the vulnerability in the first place.

Rikard Bodforss told ABB about the industrial security vulnerability in 2014, but it took until the end of 2019 for public disclosure. Here's why:

"Bodforss told SecurityWeek that he reported his findings to ABB in 2014, shortly after discovering the vulnerability, but the vendor allegedly downplayed the issue at the time. Nevertheless, the vendor had promised him that it would work on a patch and discreetly reach out to affected customers to inform them of the vulnerability.

In reality, it appears that ABB forgot about the vulnerability and failed to inform customers of its existence until recently when Bodforss discussed the flaw at the CS3STHLM ICS/SCADA cybersecurity conference in Sweden."

Why did an industrial security flaw take years to disclose?

The CISA ICS Advisory does not answer the question of what took so long, although we can read between the lines here.

The company is moving away from the Power Generation Information Manager (PGIM) altogether, and has some great news for customers: you can upgrade to get better security!

"Users are advised to upgrade to Symphony Plus Historian, which is not affected by this vulnerability. Symphony Plus Historian is the successor to the PGIM and Plant Connect products and features improved cybersecurity."

The company's marketing materials for its upgraded products promise a "comprehensive approach to cyber security," and claim,"our global reach brings world-class capabilities to your locality to ensure successful outcomes."

Everyone likes successful outcomes. But what if you're not ready to upgrade? The company says there are some steps you should take to mitigate the risk:

"ABB further recommends users of PGIM not use the same credentials for Windows login as used to log into the PGIM and Plant Connect applications.

Additionally, end users who cannot immediately upgrade should consider protecting network communication by use of IPSec or other means."

And Jon Clay of Trend Micro says Intrusion Prevention Software (IPS) can certainly help in situations like this:

"If an organization cannot patch or move to the newer version, they can look at a virtual patch using a network IPS solution which could protect them from an exploit."

This approach helps protect against unknown and undisclosed vulnerabilities as well as those which are already known.

Related white paper: Why Standalone NextGen IPS Is Crucial to the Enterprise