ABB M2M Gateway

CVEs (42)

Remediations

• Mitigating factors describe conditions and circumstances that make an attack that exploits the vulnerability difficult or less likely to succeed. The following mitigations are recommended. 1. Obtain a cellular private access point (APN). A dedicated private cellular access point and respective SIM card subscriptions can be requested from your cellular service provider. This service doesn’t expose the traffic between remote sites and main site to the internet but rather uses cellular operator’s private wide area network (WAN). Therefore, the ARM600 wouldn’t need open ports to the internet. 2. Avoid exposing any system component to the internet. If, however, the ARM600 is exposed to the internet, only the VPN port should be opened towards the internet (e.g., Patrol management connections can be configured to use VPN tunnel and remote administration connections can be implemented by using OpenVPN PC-client). 4. Perform firewall configuration by the "allowlisting" principle, i.e., explicitly allowing only the required ports and protocols and blocking any other traffic. 6. If the internet is used as a WAN media for carrying VPN tunnels, use Demilitarized Zone (DMZ) for terminating connections from the internet (i.e., the remote connections should terminate to the DMZ network, which would be segregated from other networks by a firewall. The ARM600 server would be located into this DMZ). 7. Change the default user credentials of ARM600 and Arctic wireless gateways into non-defaults and use complex non-guessable passwords with special characters. Do not reuse passwords within the system. 8. Use administrator (i.e., root user) privileges only when required by the task. 9. Supporting systems, such as PCs used for configuration, should be frequently updated. If possible, use dedicated site PCs for upgrading and engineering purposes. At minimum, PCs should be investigated by running a full virus scan with recently updated signature files before introducing the PC to the OT system. Any data, such as device configurations and firmware update files transferred to the Arctic system should be virus scanned prior to transferring. 10. Introduce a backup policy, which will ensure periodical backups and backup revision numbering. Consider the following: a. Check that the entire system has backups available from all applicable parts. b. Store the backups in a safe place (e.g. in an encrypted storage), restricted by role-based access control mechanisms. c. Ensure the security of the configuration PCs that may have local copies of device configurations. d. Validate the backups to make sure that they’re working. 11. Follow cyber security best practices for installation, operation, and decommissioning as described in the product’s Cyber Security Deployment Guideline and User Manual. 12. Use continuous monitoring (e.g., intrusion detection/prevention tools) to detect anomalies in the system 13. Consider hardening the system according to the following: a. Remove any unnecessary communication links in the system. b. If possible, close unused physical ports. c. Open only the necessary TCP/UDP ports in the configuration. d. Remove all unnecessary user accounts. e. Restrict traffic by firewall. f. Allow the traffic only from/to necessary hosts' IP addresses (i.e., define both source and destination in the firewall rules, where possible). g. Define client IP address as allowed address in SCADA communication protocols, if such configuration is supported. h. Remove or deactivate all unused processes, communication ports and services, where possible. i. Use physical access controls to the system installations (e.g., to server rooms and device cabinets).
• Mitigating factors describe conditions and circumstances that make an attack that exploits the vulnerability difficult or less likely to succeed. The following mitigations are recommended. 3. ARM600 system is by default not dependent on the name service (DNS). If name service is not used in the system, the name service port (TCP/UDP port 53) can be blocked by a firewall. Refer to section General security recommendations for additional advice on how to keep your system secure.
• Mitigating factors describe conditions and circumstances that make an attack that exploits the vulnerability difficult or less likely to succeed. The following mitigations are recommended. 15. Avoid using AX88179_178A chipset-based USB -to-Ethernet devices. Refer to section General security recommendations for additional advice on how to keep your system secure.
• Mitigating factors describe conditions and circumstances that make an attack that exploits the vulnerability difficult or less likely to succeed. The following mitigations are recommended. 14. In ARM600SW installations, avoid servers with AMD processors vulnerable to the following: CVE-2021-26401, CVE-2023-20569 and CVE-2023-20593. Refer to section General security recommendations for additional advice on how to keep your system secure.
• Mitigating factors describe conditions and circumstances that make an attack that exploits the vulnerability difficult or less likely to succeed. The following mitigations are recommended. 5. Filter specific ICMP packets from external systems (ICMP type 13 and 14) by firewall for not exposing the system time. Refer to section General security recommendations for additional advice on how to keep your system secure.

Affected Vendors

Affected Products (2)

Affected Sectors

Energy