Hitachi ABB Power Grids Retail Operations and CSB Products

Plan PatchCVSS 7.7ICS-CERT ICSA-21-236-02Aug 24, 2021

ABBHitachi EnergyEnergy

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityHigh

User InteractionNone needed

Summary

This vulnerability in Hitachi ABB Power Grids Retail Operations and Counterparty Settlement and Billing (CSB) products allows an attacker with high-level administrative credentials to access database credentials, shut down the product, and read or modify system data. The vulnerability resides in insufficient credential storage protections, related to CWE-522 (Insufficiently Protected Credentials). The products affected are Retail Operations and CSB, all versions up to and including 5.7.2. Hitachi ABB Power Grids recommends updating to Version 5.7.3 or later. An entry point for this vulnerability is unsecured operating system configurations on which the product is installed.

What this means

What could happen

An attacker with high-level administrative access could extract database credentials, shut down billing and settlement operations, or modify critical energy trading and billing data. This could disrupt financial settlements and settlement processing for energy markets.

Who's at risk

Energy market operators and utilities that run Hitachi ABB Power Grids Retail Operations or Counterparty Settlement and Billing (CSB) systems should be concerned. These products handle billing, settlement, and financial transactions for energy markets. Affected organizations include power trading companies, utilities, and energy service operators who depend on these systems for operational financial processes.

How it could be exploited

An attacker with high-privilege credentials (such as a system administrator or engineer) could exploit this vulnerability to access the underlying database, extract stored credentials, shut down the service, or read/modify system data. The attack requires prior access to an administrative account on the system.

Prerequisites

High-privilege administrative credentials to the affected product (system administrator or engineer role)
Network access to the Retail Operations or CSB application
Unsecured or weakly hardened host operating system
Access may be facilitated by weak OS-level security controls

High privilege access requiredHigh attack complexityNo patch available for current versions (remediation requires manual vendor update)Affects billing and settlement operations (financial impact)Weak OS security posture can increase risk

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Retail Operations: All≤ 5.7.25.7.3+

Counterparty Settlement and Billing (CSB): All≤ 5.7.25.7.3+

Remediation & Mitigation

0/7

Do now

0/1

Counterparty Settlement and Billing (CSB): All

WORKAROUNDImplement firewall rules to restrict network access to Retail Operations and CSB to only authorized administrative workstations

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

Counterparty Settlement and Billing (CSB): All

HOTFIXUpgrade Counterparty Settlement and Billing (CSB) to Version 5.7.3 or later

All products

HOTFIXUpgrade Retail Operations to Version 5.7.3 or later

HARDENINGMonitor application process logs and system logs for unrecognized user sessions originating from outside the application

Long-term hardening

0/3

Counterparty Settlement and Billing (CSB): All

HARDENINGIsolate Retail Operations and CSB systems from the business network using a DMZ or dedicated network segment

All products

HARDENINGHarden the operating system hosting these products according to CIS guidelines

HARDENINGEnsure these systems are not accessible from the Internet; use VPN with strong authentication for any required remote access

CVEs (1)

CVE-2021-35529

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c3002ccc-048b-4f2b-b781-d8e2510a7d05

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.