The Cybersecurity and Infrastructure Security Agency (CISA) published an update for a vulnerability that was found in Hitachi Energy’s Transformer Asset Performance Management (APM) Edge. The vulnerability has a low attack complexity and a common vulnerability scoring system (CVSS) version 3.0 score of 8.2 out of 10.
- APM Edge version 1.0
- APM Edge version 2.0
- APM Edge version 3.0
Addressing the vulnerability, Hitachi Energy stated that the company is aware of the reports of the vulnerability in open-source software components like GRUB2 bootloader, libxml2, LibSSL, and OpenSSL. Users were asked to update to Transformer APM Edge v4.0 to combat threats.
Security measures suggested by Hitachi Energy
The company offered security practices to protect vulnerable process control networks. They are as follows:
- Preserving the physical process control systems from unknown entities.
- Not directly connecting to the internet.
- Not using process control systems for using the internet for surfing, instant messaging, receiving emails, etc.
- Running anti-virus scans of portable computers and the removable storage media before connecting them to a control system.
This is an update of previously known vulnerabilities documented on December 2, 2021, by CISA and Hitachi. The list of vulnerabilities included, however, was not limited to the following:
These vulnerabilities impacted the transformer asset performance management (APM) Edge products. It also allowed security bypass, data theft, TCP connection hijacking, unauthorized system reboot, and denial of service (DoS) attacks.
The following products were impacted:
- APM Edge – versions 1.0, 2.0 and 3.0
- RTU500 series CMU – multiple firmware versions
- PCM600 update manager – multiple versions
- Relion 670/650/SAM600-IO – multiple versions, all revisions
The vulnerabilities allowed hackers to exploit the OpenSSL and LibSSL components, memory information theft, application crashes, and bypass security tools. Updates to combat the effects of the vulnerabilities were released, as mentioned in the advisory