Hitachi ABB Power Grids AFS Series

MonitorCVSS 6.5ICS-CERT ICSA-21-075-03Mar 16, 2021

ABBHitachi EnergyEnergy

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in Hitachi ABB Power Grids AFS660-SR and AFS665-SR Ethernet switches allows denial of service on one port in a HSR (High-availability Seamless Redundancy) ring topology. An attacker on the local network can send malformed HSR frames that cause the switch to misprocess them, resulting in one port becoming unavailable. This impacts the redundancy guarantees of the ring configuration. Hitachi ABB Power Grids has stated the vulnerability can be fixed by modifying how the switch processes HSR frames, but no patched firmware versions have been released yet for the affected product versions (7.0.07).

What this means

What could happen

An attacker on the local network could disrupt one port in a Hitachi ABB redundant ring topology by triggering a denial-of-service condition, potentially degrading network resilience if the ring cannot failover properly.

Who's at risk

Electric utility operators using Hitachi ABB AFS660-SR or AFS665-SR redundant Ethernet switches in protection and control systems for high-voltage substations. These switches are critical to maintaining network redundancy in substation automation systems.

How it could be exploited

An attacker with access to the same network segment as the AFS switch sends specially crafted HSR (High-availability Seamless Redundancy) frames that trigger a processing error in the switch, causing one port in the redundant ring to stop functioning.

Prerequisites

Network access to the same Layer 2 network segment as the AFS660-SR or AFS665-SR switch (cannot be exploited remotely over routed networks)
Ability to send raw Ethernet frames with HSR headers to the switch

No patch currently availableAffects redundancy systems in electrical infrastructureLocal network access required but difficult to detect

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (2)

2 pending

ProductAffected VersionsFix Status

AFS660-SR:7.0.07No fix yet

AFS665-SR:7.0.07No fix yet

Remediation & Mitigation

0/3

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate AFS660-SR and AFS665-SR switches to a patched version when available from Hitachi ABB Power Grids

Long-term hardening

0/2

HARDENINGIsolate AFS switches from untrusted network segments using managed firewalls or network access controls

HARDENINGImplement network segmentation to ensure only authorized maintenance personnel and control devices can reach the AFS switches

CVEs (1)

CVE-2020-9307

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3227bd3b-c9c1-494a-bb57-3cccc0e70605

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.