ABB published public advisory

Rikard Bodforss

On November 1:st ABB published a public cyber security advisory on PGIM that describes the vulnerability I discovered. I would like to thank ABB for the opportunity to proofread the advisory before it was published, as well as for crediting me for the discovery of the vulnerability.

Link to the advisory:
And more specifically:

The past few days/weeks I have worked extensively with ABB to pinpoint the problem and come up with feasible mitigation strategies for systems that have not yet been upgraded to Symphony Plus Historian (SPH). I have also been proven wrong on a couple of assumptions of mine. I am especially grateful to Thomas Lindström at ABB for pointing this out, and for keeping me in the loop with all public communication from ABB.

These past few days I have experienced a very professional demeanor signified by mutual respect and much openness, both from my part and from ABB. This is the way I had hoped for my discovery to be handled five years ago. ABB takes cyber security seriously, and there have been a series of unfortunate circumstances that have led to the unfortunate handling of my disclosure in this case. I want to stress that ABB is a company that has very sound processes for handling these types of disclosures, but for several reasons this one fell between the chairs.

To correct my errors, I have updated my previous blog entry, but I would like to point out a few points especially, so there is no doubt about what the scope of the vulnerability is.

Points where I have been wrong

I had misunderstood the installation guide for SPH. I erroneously mistook the configuration for the SPH client for an option to revert to the old protocol on the server. This is not so. From what I have been told, there is no way of configuring SPH in a way that it will accept connections from a PGIM client, which leaves my attack scenario completely unfeasible for Symphony plus. It is possible to configure an SPH client to connect to an unsecure PGIM server, not the other way around.

No one could be happier than me that I have been wrong in this assumption.

I have also been updated on the status of IM, which is a completely different product based on Oracle DB. IM is not a predecessor to PGIM, but a different data historian that lives a parallel life with PGIM/SPH. IM has never been vulnerable to this attack (as I have stated) and has been used in several other industries other than power generation and water. My misconception was that PGIM replaced IM as the staple historian, but that was only for certain industry segments. IM is happily living on today as does 800xA History (which is yet another historian).

What to do if I have PGIM?

Read the advisory.
Read my blog on how to deal with a 0-day in critical infrastructure.
Plan for an upgrade to SPH, and in the meantime, work with the mitigation strategies pointed out by me and ABB.

If you still have questions, don’t hesitate to contact us. Our business is securing society, one control system at the time.