Amnesia:33 and why is Cyber Security a Growing Concern for the Utility Sector?

Amnesia:33 and why is Cyber Security a Growing Concern for the Utility Sector?

Feb 02, 2021

Cyber security is a real concern for everyone including utilities. In December 2020, Forescout1 disclosed 33 software security vulnerabilities affecting millions of consumer and industrial-grade devices worldwide. This bundle of vulnerabilities is called AMNESIA:33. They were found in four open-source TCP/IP stacks, and four of the vulnerabilities are considered critical. These four TCP/IP stacks collectively serve as the foundational components of millions of connected devices worldwide, and these vulnerabilities can allow attackers to compromise devices, execute malicious code, perform denial-of-service attacks and steal sensitive information. 

Of course, NES immediately conducted a review of its products and solutions, and confirmed that our solutions and devices are not affected by AMNESIA:33 vulnerabilities and the associated four specific implementations of the TCP/IP stack. In fact, NES products do not use any of these stacks.

Some examples of the impacted systems include devices such as sensors/meters, system-on-a-chip (SOC) boards, HVAC systems, routers, switches, uninterruptible power supplies, and all sorts of industrial equipment. Vendors, whose products are affected by AMNESIA:33, will need update their TCP/IP stacks and integrate them as firmware updates into their products. The only way to easily and cost effectively update the firmware is if the products and system support remote firmware upgrades. Otherwise, it is extremely expensive and time consuming to upgrade or replace the affected devices. 

Most importantly, the key message to everyone is that these security concerns occur and that all companies need to take all aspects of security very seriously. This includes all smart grid and smart metering systems and devices. Cyber security is of growing concern in the utility sector, especially related to Smart Grid and Smart Metering Systems. Companies need to be vigilant in not only identifying any potential security vulnerabilities, but also in responding and correcting identified issues.

Larry Colton - Director International Business Development & Government Affairs at NES