The Risk of Unpatched Vulnerabilities in SEL Power System Management Products

SEL Power System Management Products Patched for Nine Vulnerabilities

September 5, 2023

In recent news, US-based company Schweitzer Engineering Laboratories (SEL) has patched nine vulnerabilities found in its electric power management products. These vulnerabilities were discovered by researchers at industrial cybersecurity firm Nozomi Networks. While SEL provides a wide range of products and services for the electric power sector, the vulnerabilities were specifically found in the SEL-5030 acSELerator QuickSet and SEL-5037 Grid Configurator software products.

The Severity of the Vulnerabilities

Nozomi researchers have assigned a ‘high severity’ rating to four of the nine vulnerabilities, while the remaining five have been classified as ‘medium severity’. Among the most severe vulnerabilities is CVE-2023-31171, which allows arbitrary code execution on the engineering workstation running the SEL software. This can be achieved by tricking the user into importing a device configuration from a specially crafted file. Furthermore, this vulnerability can be exploited in conjunction with CVE-2023-31175 to escalate privileges.

Nozomi Networks warns that these vulnerabilities can be used by malicious insiders or external threat actors, potentially via social engineering, to steal sensitive data, conduct surveillance, manipulate device logic, and move laterally within the victim’s network.

Previous Vulnerabilities Discovered

This is not the first time SEL products have been found to have vulnerabilities. In May, Nozomi Networks reported 19 security holes in SEL computing platforms running the vendor’s Realtime Automation Controller (RTAC) suite. These vulnerabilities had the potential to allow an unauthenticated remote attacker to alter the core functionality of the device and gain access to other systems protected by the same credentials.

Analysis and Commentary

The Importance of Securing Industrial Control Systems (ICS)

Incidents like the vulnerabilities discovered in SEL‘s power system management products highlight the critical need for robust cybersecurity measures in industrial control systems (ICS). The power sector plays a vital role in a nation’s infrastructure, and any compromise in these systems could have far-reaching consequences, including blackouts, disruptions to critical services, and even national security risks.

Industrial control systems are responsible for managing and controlling the hardware and software systems within critical infrastructure, such as power plants, water treatment facilities, and transportation systems. As these systems become increasingly digitized and interconnected, they also become more vulnerable to cyber threats.

The Challenge of Securing ICS

Securing industrial control systems presents unique challenges compared to securing traditional IT systems. These challenges stem from the need to balance system availability and reliability with the necessary security measures. While security patches and updates are fundamental components of traditional IT security, the implementation of these updates in ICS environments can be complex and disruptive due to operational and safety considerations.

Additionally, the lifespan of ICS devices is often much longer than that of IT equipment, which can result in legacy systems that are difficult to patch and may not receive regular security updates. This can create vulnerabilities that are exploited by threat actors who specifically target the weaknesses in ICS systems.

The Role of Cybersecurity in Protecting Critical Infrastructure

Given the potential consequences of cyber attacks on critical infrastructure, it is crucial for organizations in the power sector and other industries to prioritize cybersecurity. This includes investing in robust security measures, regularly patching and updating systems, and conducting thorough vulnerability assessments. Moreover, organizations should prioritize employee awareness and education to prevent social engineering attacks that could exploit human vulnerabilities.

Government entities also play a significant role in securing critical infrastructure. Legislators and regulatory bodies should work closely with industry experts to develop and enforce cybersecurity standards and regulations. Additionally, public-private partnerships should be fostered to facilitate information sharing and collaboration in addressing emerging threats.

Conclusion and Recommendations

The discovery and patching of vulnerabilities in SEL‘s power system management products serve as a reminder of the ongoing need for vigilance and continuous improvement in cybersecurity practices. To protect critical infrastructure and ensure the resilience of industrial control systems, organizations should consider the following recommendations:

• Prioritize cybersecurity as a key component of operational strategy.
• Regularly update and patch software and systems to address known vulnerabilities.
• Implement multi-factor authentication and strong access controls to prevent unauthorized access.
• Conduct regular security assessments and penetration testing to identify and address any weaknesses.
• Invest in employee training and awareness programs to mitigate the risk of social engineering attacks.
• Collaborate with industry peers, government agencies, and cybersecurity experts to stay informed about emerging threats and best practices.

By taking these proactive steps, organizations in the power sector and beyond can enhance the security of their industrial control systems and ensure the ongoing protection of critical infrastructure.