ABB Power Generation Information Manager (PGIM) and Plant Connect

Act Now9.8ICS-CERT ICSA-19-318-05Nov 14, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A remote attacker can bypass authentication and extract credentials from ABB Power Generation Information Manager (PGIM) and Plant Connect without providing valid login credentials. PGIM is transitioning to limited support in January 2020, and Plant Connect is already obsolete. The vulnerability is due to insufficient authentication validation (CWE-288).

What this means

What could happen

An attacker could bypass authentication on PGIM or Plant Connect and steal user credentials, potentially gaining access to historical plant data and operational systems. These systems may be used to monitor or control power generation facilities, so credential compromise could enable further attacks on critical infrastructure.

Who's at risk

Power generation facilities using ABB PGIM or Plant Connect for historical data logging and monitoring. This affects utilities and independent power producers that rely on these products for operational visibility, process trending, and compliance reporting.

How it could be exploited

An attacker on the network could send specially crafted requests to PGIM or Plant Connect (running on default ports) without providing valid credentials to trigger the authentication bypass flaw. Once past authentication, the attacker can extract stored or in-transit credentials, then use those to access other systems that share credentials with PGIM/Plant Connect.

Prerequisites

Network access to the PGIM or Plant Connect application server (typically port 80 or 443 for web interfaces)
No valid credentials required to exploit the authentication bypass

remotely exploitableno authentication requiredlow complexityno patch availableactively used in critical infrastructure

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

Power Generation Information Manager (PGIM): All versionsAll versionsNo fix (EOL)

Plant Connect: All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

Power Generation Information Manager (PGIM): All versions

WORKAROUNDIf immediate migration is not possible, use IPSec or other network encryption to protect communication to and from PGIM and Plant Connect

HARDENINGDo not reuse Windows login credentials for PGIM and Plant Connect application access; use unique credentials for each system

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMigrate to ABB Symphony Plus Historian (the supported successor product that is not affected)

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Power Generation Information Manager (PGIM): All versions, Plant Connect: All versions. Apply the following compensating controls:

HARDENINGIsolate PGIM and Plant Connect from production network using network segmentation or air-gap where feasible

CVEs (1)

CVE-2019-18250

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3dabe424-a82e-45b5-b040-3b41c027d2c2