Claroty’s Team82 finds vulnerabilities in historian server
Claroty's research team, Team82, has examined the GE Proficy Historian, finding five exploitable vulnerabilities capable of causing damage to the system.
Historian servers are wide-reaching critical databases that store data collected from industrial control systems and extend to the corporate network by sharing information with business enterprise resource planning systems and analytics platforms.
Industrial automation operations create important data about asset health and processes.
Historian servers are an important step in processing and analysing this information on-premises or in the cloud to better understand processes and make them more efficient.
GE Proficy Historian is an industry-leading historian server that collects, stores and distributes time-series and engineering data.
Team82's report, Hacking ICS Historians: The Pivot Point from IT to OT, shows attackers can exploit these vulnerabilities to access the historian, crash the device, and remotely execute code.
Attackers target historian servers for various reasons, including gathering intelligence on industrial processes, financial gain, manipulating automation processes by altering or deleting data to disrupt operations, damaging equipment, and endangering operators.
Further, attackers are drawn to the fact that historian servers share process information with enterprise systems, a pivot point that allows them to move from the IT network to OT systems.
Team82 finds GE Proficy Historian v7.0 and higher versions are affected, with one of the five vulnerabilities having a CVSS v3 score of 9.8 and the four others having CVSS v3 scores of 7.5.
GE Proficy Historian 2023 mitigates issues, and SIMs have been provided for all affected versions.
Claroty's research team urges users to ensure their systems are up to date.
This latest research comes after Team82 uncovered a new vulnerability in ABB TotalFlow flow computers and controllers.
ABB TotalFlow is used within many large oil and gas utilities worldwide to calculate volume and flow rates for oil and gas, which are critical to electric power manufacturing and distribution. They are also used as inputs in other areas, including billing.
Claroty says the new vulnerability gives attackers the ability to gain root access on an ABB flow computer, allowing them to also read and write files and remotely execute code. They say an attacker could exploit a vulnerable system to inject and execute arbitrary code.
Analysis from Claroty's Team82 discovered a high-severity path-traversal vulnerability (CVE-2022-0902) in ABB's TotalFlow Flow Computers and Remote Controllers, where attackers can exploit this flaw to gain root access.
Affected products include, ABB’s RMC-100 (Standard), the RMC-100-LITE, XIO, XFCG5, XRCG5, uFLOG5 and UDC products.
ABB says that it has made a firmware update available that resolves the vulnerability in a number of product versions, and the company also recommends network segmentation as a mitigation tool. Users are also urged to immediately update their firmware to the latest version.
Team82 says the vulnerability's consequences will be similar to those suffered as a result of the Colonial Pipeline breach following its 2021 ransomware attack.