General Electric Renewable Energy MDS Radios

Act Now10ICS-CERT ICSA-22-090-06Mar 31, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple critical vulnerabilities in General Electric Renewable Energy MDS Radio series allow remote unauthenticated attackers to control radio configuration, join networks without authorization, and deny service to valid users. The vulnerabilities are in the iNET/iNET II, SD, TD220MAX, and TD220X series radios. These radios are used in renewable energy generation sites, particularly wind farms, for wireless communications of operational status and control signals.

What this means

What could happen

An attacker could remotely reconfigure these radios or gain unauthorized network access, potentially disrupting communications between renewable energy assets and control centers. This could prevent operators from receiving status updates or sending control commands, affecting energy generation and dispatch.

Who's at risk

Wind farm operators and other renewable energy generation facility managers who use GE MDS Radios for communication between turbines, inverters, or remote monitoring stations and central control systems. This includes solar facilities and other distributed energy resources that rely on these radio series for wireless operational data and command transmission.

How it could be exploited

An attacker on the network or the Internet can send specially crafted packets to the radio without authentication. The radio accepts the packets due to weak input validation and lack of authentication mechanisms, allowing the attacker to change configuration, inject themselves into the network mesh, or trigger denial of service conditions.

Prerequisites

Network connectivity to the radio (can be from the Internet or internal network)
No authentication credentials required
Radio device must be powered on and operational

Remotely exploitable from the InternetNo authentication requiredLow attack complexityActively exploited (KEV)EPSS score 94.3% (very high exploit probability)Affects critical energy infrastructureCVSS v3.0 score 10.0 (critical)Impacts both confidentiality, integrity, and availability

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

iNET/iNET II series radio: firmware< rev. 8.3.0firmware rev. 8.3.0

SD series radio: firmware< rev. 6.4.7firmware rev. 6.4.7

TD220MAX series radio: firmware< rev. 1.2.6firmware rev. 1.2.6

TD220X series radio: firmware< rev. 2.0.16firmware rev. 2.0.16

Remediation & Mitigation

0/10

Do now

0/8

HOTFIXUpdate iNET/iNET II series radios to firmware revision 8.3.0 or later

HOTFIXUpdate SD series radios to firmware revision 6.4.7 or later

HOTFIXUpdate TD220MAX series radios to firmware revision 1.2.6 or later

HOTFIXUpdate TD220X series radios to firmware revision 2.0.16 or later

WORKAROUNDEnable MAC address allow-listing on radios to permit only known devices to join the network

WORKAROUNDEnable IEEE 802.1x authentication on radios to require device credentials for network access

HARDENINGEncrypt operational communications with HTTPS or SSH at the application level

HARDENINGPlace radio devices behind firewalls and isolate them from the business network and Internet

Long-term hardening

0/2

HARDENINGImplement network segmentation to minimize network exposure for renewable energy control system devices

HARDENINGIf remote access to radios is necessary, use secure methods such as VPNs with current security updates

CVEs (6)

CVE-2017-17562 CVE-2022-24119 CVE-2022-24116 CVE-2022-24118 CVE-2022-24120 CVE-2022-24117

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close