Hi Folks,
This may come as a surprise to some, but there is a hard coded root password in some versions of the GE MARK VIe controllers, and other similar MARK control systems. The root password allows access to the MARK controller, and based on several years I've spent working around these systems there is a lot of mischief that can be accomplished with this level of access to the controllers that could be detrimental to.
This has been a closely held secret in industry for a long time, and GE disclosed this privately via a Technical Instruction Letter in 2013, but apparently the cyber security firm Claroty found it while doing some product development and reported to DHS. I won't give the TIL number on this public list, but your GE rep can find it.
I recommend owners of these systems contact their GE Support rep and ask about getting a fix (there is one) if their system needs it (GE TAs may have already applied it if they visit you regularly). While the vulnerability score of 6.8/10 for this vuln is what DHS has posted, my own assessment has this at a 9.8/10 due to what the controller is controlling for the turbine it's attached to (a high score indicates a high severity). Please note, having a triple redundant system is not a guard against a bad guy exploiting this vulnerability. If you have specific questions, email me directly.
DHS Alert is here: https://www.us-cert.gov/ics/advisories/icsa-19-281-02
Mike Toecker
toecker (*a-t*) context-is(*dot*)com
This may come as a surprise to some, but there is a hard coded root password in some versions of the GE MARK VIe controllers, and other similar MARK control systems. The root password allows access to the MARK controller, and based on several years I've spent working around these systems there is a lot of mischief that can be accomplished with this level of access to the controllers that could be detrimental to.
This has been a closely held secret in industry for a long time, and GE disclosed this privately via a Technical Instruction Letter in 2013, but apparently the cyber security firm Claroty found it while doing some product development and reported to DHS. I won't give the TIL number on this public list, but your GE rep can find it.
I recommend owners of these systems contact their GE Support rep and ask about getting a fix (there is one) if their system needs it (GE TAs may have already applied it if they visit you regularly). While the vulnerability score of 6.8/10 for this vuln is what DHS has posted, my own assessment has this at a 9.8/10 due to what the controller is controlling for the turbine it's attached to (a high score indicates a high severity). Please note, having a triple redundant system is not a guard against a bad guy exploiting this vulnerability. If you have specific questions, email me directly.
DHS Alert is here: https://www.us-cert.gov/ics/advisories/icsa-19-281-02
Mike Toecker
toecker (*a-t*) context-is(*dot*)com
