Beckwith Electric TCP Initial Sequence Vulnerability
Low RiskICS-CERT ICSA-15-153-01Mar 5, 2015
Summary
Beckwith Electric digital control devices for voltage regulators, tapchangers, and capacitor banks use a weak TCP initial sequence number algorithm that is predictable. This allows an attacker on the network to forge TCP packets and impersonate the controller or legitimate network peers. The vulnerability affects the M-6200, M-6200A, M-2001D, M-6283A, M-6280A, and M-6280 models across all versions or versions below specified thresholds. No firmware updates are available from the vendor.
What this means
What could happen
An attacker could predict TCP initial sequence numbers and forge packets to impersonate the Beckwith controller in network communications, potentially disrupting communications or injecting unauthorized commands into voltage regulation and capacitor bank control systems.
Who's at risk
Electric utilities operating voltage regulation and reactive power management equipment should care. This affects Beckwith Electric's M-6200 series voltage regulators, M-2001D tapchanger controls, and M-6280/M-6283A capacitor bank controls. These devices manage grid stability in distribution networks and substation automation systems.
How it could be exploited
An attacker on the same network segment or with network visibility to the Beckwith device could observe TCP traffic, predict the sequence numbers using the weak algorithm, and craft forged TCP packets that appear to come from legitimate sources. This could allow them to inject commands or disrupt normal control communication to voltage regulators and capacitor banks.
Prerequisites
- Network access to the same network segment as the Beckwith controller
- Ability to observe or infer TCP sequence numbers
- No authentication required for TCP spoofing
remotely exploitableno authentication requiredlow complexityno patch availableaffects voltage regulation and grid stability systems
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (6)
6 EOL
ProductAffected VersionsFix Status
M-6200 Digital Voltage Regulator Control: <D-0198V04.07.00<D-0198V04.07.00No fix (EOL)
M-6200A Digital Voltage Regulator Control: <D-0228V02.01.07<D-0228V02.01.07No fix (EOL)
M-2001D Digital Tapchanger Control: <D-0214V01.10.04<D-0214V01.10.04No fix (EOL)
M-6283A Three Phase Digital Capacitor Bank Control: <D-0346V03.00.02<D-0346V03.00.02No fix (EOL)
M-6280A Digital Capacitor Bank Control: <D-0254V03.05.05<D-0254V03.05.05No fix (EOL)
M-6280 Digital Capacitor Bank Control: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDDeploy a firewall or managed switch with ingress filtering to block spoofed packets and restrict inbound connections to the Beckwith controllers from untrusted network segments
Mitigations - no patch available
0/3The following products have reached End of Life with no planned fix: M-6200 Digital Voltage Regulator Control: <D-0198V04.07.00, M-6200A Digital Voltage Regulator Control: <D-0228V02.01.07, M-2001D Digital Tapchanger Control: <D-0214V01.10.04, M-6283A Three Phase Digital Capacitor Bank Control: <D-0346V03.00.02, M-6280A Digital Capacitor Bank Control: <D-0254V03.05.05, M-6280 Digital Capacitor Bank Control: vers:all/*. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate voltage regulator and capacitor bank controllers on a dedicated VLAN with access control lists limiting traffic to authorized systems only
HARDENINGMonitor network traffic for unusual TCP connection patterns or failed communications that could indicate sequence number prediction attacks
HARDENINGPlan for long-term replacement of affected Beckwith controllers with equipment that implements cryptographically secure random TCP sequence number generation
CVEs (1)
โโ Navigate ยท Esc Close
API:
/api/v1/advisories/bc168442-23c0-4e67-be56-f4d49c12946b