Hitachi ABB Power Grids TropOS

Plan PatchCVSS 7.5ICS-CERT ICSA-21-236-01Aug 24, 2021

ABBHitachi EnergyEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Hitachi ABB Power Grids TropOS firmware versions 8.9.4.8 and earlier contain multiple vulnerabilities (CWE-74, CWE-326, CWE-306, CWE-287, CWE-354, CWE-20) in Wi-Fi access point functionality. Successful exploitation allows an attacker to redirect connected clients to fake websites and extract sensitive data through man-in-the-middle style attacks on Wi-Fi traffic. These vulnerabilities are related to the FragAttacks Wi-Fi vulnerability family and require the attacker to be within Wi-Fi range of the access point.

What this means

What could happen

An attacker within Wi-Fi range could redirect connected laptops or mobile devices to fake websites and intercept sensitive information like credentials. This could compromise engineering workstations and lead to unauthorized access to grid control systems or data theft.

Who's at risk

Utility operators managing TropOS wireless access points in substations or control centers should be concerned. This affects any facility using TropOS to provide Wi-Fi access for engineering laptops, configuration devices, or maintenance personnel. Power utilities, particularly those using Hitachi ABB Power Grids equipment, are the primary concern.

How it could be exploited

An attacker within Wi-Fi range of a TropOS access point can intercept and manipulate Wi-Fi traffic to redirect connected clients to fraudulent websites or perform man-in-the-middle attacks. The attacker does not need valid credentials but must be physically close enough to reach the Wi-Fi signal. This is most dangerous if engineering workstations or control system laptops connect to the TropOS Wi-Fi.

Prerequisites

Physical proximity to the TropOS Wi-Fi access point (Wi-Fi range)
Target client device must be connected or attempting to connect to the TropOS local SSID
Wi-Fi access point must be enabled with local SSID broadcast active

No authentication required for exploitationLow complexity attack (man-in-the-middle on Wi-Fi)No patch availableAffects sensitive data confidentialityCould compromise engineering workstations with access to control systems

Exploitability

Some exploitation risk — EPSS score 2.3%

Affected products (1)

ProductAffected VersionsFix Status

TropOS: Firmware≤ 8.9.4.88.9.4.9+

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDDisable Wi-Fi local access SSID on TropOS units where Wi-Fi connectivity is not required

HARDENINGEnable Wi-Fi whitelist capability to restrict access to approved personnel MAC addresses only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate TropOS firmware to version 8.9.4.9 or later

Long-term hardening

0/3

HARDENINGRestrict physical access to TropOS equipment and surrounding area to authorized staff only

HARDENINGInstall and maintain firewall capabilities on all end-user laptops and servers connecting to TropOS Wi-Fi

HARDENINGIsolate TropOS and all control system networks from the business network using network segmentation

CVEs (12)

CVE-2020-24588 CVE-2020-26139 CVE-2020-26141 CVE-2020-26146 CVE-2020-24586 CVE-2020-24587 CVE-2020-26140 CVE-2020-26142 CVE-2020-26143 CVE-2020-26144 CVE-2020-26145 CVE-2020-26147

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/45d4c6a1-6936-4c43-9a2a-2a7de3ca8872

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.