GE Mark VIe Controller

MonitorCVSS 6.8ICS-CERT ICSA-19-281-02Oct 8, 2019

Energy

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

GE Mark VIe Controller contains authentication and credential management vulnerabilities (CWE-285, CWE-798) affecting all versions. The vulnerability allows an attacker with local access and default or weak credentials to create read/write/execute commands within the Mark VIe control system. The primary attack vectors are enabled Telnet service (which has no encryption) and unchanged default passwords. GE has not released a firmware patch for this vulnerability; remediation relies on configuration changes and compensating controls. No known public exploits exist, and the vulnerability is not remotely exploitable.

What this means

What could happen

An attacker with local access to a Mark VIe controller could read, modify, or execute commands on the control system, potentially altering turbine or generator setpoints, disabling safety functions, or stopping power generation operations.

Who's at risk

Electric utilities and power generation facilities operating GE Mark VIe turbine control systems, particularly those with older Control*ST software versions (earlier than v6.0) and those that have not changed default credentials since commissioning.

How it could be exploited

An attacker must have local or physical access to the Mark VIe controller or its local network. They would exploit weak authentication (default or unchanged credentials) or enabled Telnet service to gain command execution on the controller. Once authenticated, they can issue read/write/execute commands to the control system.

Prerequisites

Local or network access to the Mark VIe controller (not remotely exploitable)
Default or weak controller credentials (unchanged after deployment)
Telnet service enabled (default on Control*ST versions earlier than v6.0)

Default credentials likely in useTelnet service enabled (no encryption)No patch available from vendorAffects safety-critical power generation controlLocal access only (limits exposure but not risk within plant)

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

GE Mark Vle Controller: All VersionsAll versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDDisable the Telnet service on all Mark VIe controllers running Control*ST versions earlier than v6.0

HARDENINGReset all Mark VIe controller passwords upon transfer to the operating environment and establish a password management policy

HARDENINGRestrict physical and network access to Mark VIe controllers to authorized personnel only

Long-term hardening

0/2

HARDENINGIsolate Mark VIe controllers from the business network with firewalls and network segmentation

HARDENINGImplement user authentication and authorization controls native to the Mark VIe control system

CVEs (2)

CVE-2019-13554 CVE-2019-13559

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/488c3c4e-86f7-4d53-a837-b2db166ecd21

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.