GE Hydran M2 Predictable TCP Initial Sequence Vulnerability

CVEs (1)

Remediations

• GE Digital Energy has released a new version of the Ethernet option, which resolves the identified vulnerability in newly released Hydran M2 devices. The update changes the sequence algorithm, which makes it improbable that a TCP sequence attack could succeed. The version of Ethernet card that implements this improvement is 94450214LFMT100SEM-L.R3-CL.
• There is no method to update Hydran M2 devices released prior to October 2014. GE Digital Energy recommends that utilities using older versions of the Hydran M2 device implement network security defensive measures, to include the following:
• Place the Hydran M2 inside the control system network security perimeter with access controls and monitoring.
• Minimize network exposure to all other control system devices. Control system devices should not directly face the Internet or business networks.
• Locate control system networks and devices behind properly configured firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
• GE Digital Energy’s Product Bulletin is available in at the following location, with a user account: http://libraries.ge.com/download?fileid=642886573101andentity_id=31955841101andsid=101

Affected Vendors

Affected Products (1)