How Red Teaming Strengthens Industrial Security: Insights from ABB

A security update is supposed to protect systems, not introduce new risks. But what if an attacker could manipulate that very update process? This was the question at the heart of a Red Teaming engagement conducted by Secura and Midnight Blue in collaboration with a DSO. This article explains the findings, the risks, and the lessons learned for industrial operators.

The only sounds in the room were the steady clicks of keyboards and quiet discussions of attack strategies. After weeks of preparation—gathering intelligence, mapping attack paths, and simulating real-world tactics—the Red Team found what they were looking for. A weakness in ABB’s update process, small but significant. If exploited, it could allow an attacker to compromise entire industrial environments.

This discovery came from a Red Teaming assessment conducted by Secura and Midnight Blue in collaboration a Distribution System Operator (DSO). The results highlight the risks industrial organizations face and reinforce why security assessments are essential.

One of the major vulnerabilities identified during the assessment was CVE-2024-8036, a serious security flaw that affects multiple ABB products. This vulnerability exposes industrial systems to risks such as firmware manipulation, denial of service, and even remote code execution. Understanding the details of this CVE is crucial for organizations relying on ABB's industrial solutions.

The Risk: Unsecured Updates in Industrial Systems

Attackers do not always rely on complex exploits to infiltrate networks. Sometimes, they insert malicious code into routine software updates. The assessment of ABB’s systems uncovered such a risk—CVE-2024-8036—a vulnerability in the update mechanism that could allow an attacker to manipulate software updates. In industrial settings, the impact could range from production disruptions to serious safety incidents.

Malformed Configuration Updates

Several ABB Relion Intelligent Electronic Devices (IEDs) were found vulnerable to malformed configuration updates, potentially leading to a denial of service scenario. Attackers could:

1. Authenticate using factory-default or intercepted credentials.
2. Delete critical configuration files, disabling protection and control functionality.
3. Modify remote passwords, disable overrides, and disrupt IP configurations.
4. Reboot the IED, locking out operators and complicating recovery efforts.

Once rebooted, the IED initializes without proper configuration, preventing both remote and local control of switchgear and breakers, further amplifying operational risk.

Unsigned Firmware Updates

ABB Relion IEDs were also found to allow firmware updates without cryptographic signing. Attackers could:

1. Authenticate using factory-default or intercepted credentials.
2. Transfer a malicious firmware file via FTP(S), triggering an automatic reboot.
3. Implant persistent threats at the firmware level, making detection and recovery extremely difficult.

What happened next?

After the major vulnerability was found, ABB prepared a Product Advisory Note 2NGA002288 outlining the context and recommended mitigations to address this vulnerability. Asset owners were recommended to evaluate the risk posed by this vulnerability to their environments and operations and implement the recommended mitigations prior to public disclosure.

Why Red Teaming is Critical for Industrial Security

Red Teaming is more than just a security test—it’s a real-world simulation of how a determined attacker would approach an industrial system. In the engagement with the DSO involving ABB devices, our team replicated the tactics of sophisticated adversaries, probing for weaknesses that could be exploited in an actual attack scenario.

One of the key revelations was how easily traditional security measures can be bypassed if organizations rely solely on compliance-driven assessments. Standard penetration tests often focus on predefined parameters, whereas Red Teaming goes beyond, uncovering vulnerabilities in system architecture, update processes, and incident response strategies. This deeper level of testing exposed hidden weaknesses that, if left unchecked, could lead to catastrophic system failures.

Beyond identifying technical gaps, Red Teaming also serves as a critical exercise in incident response readiness. The ABB case demonstrated that even well-prepared teams could struggle to detect and mitigate certain attack vectors in real-time. By simulating real-world attacks, organizations gain firsthand experience in identifying threats before they manifest into full-scale incidents.

Furthermore, supply chain security emerged as a vital concern. Industrial systems often rely on third-party software, and vulnerabilities in these components can introduce significant risks. Through Red Teaming, ABB was able to assess and strengthen their software update mechanisms, reducing the potential for malicious firmware infiltration.

Key Takeaways for Industrial Operators

The engagement with the DSO involving ABB devices underscores crucial lessons for industrial cybersecurity:

• Securing Update Mechanisms is Essential – Organizations must verify the authenticity of all software updates to prevent supply chain attacks.
• Security is an Ongoing Process – Threats continue to evolve, making periodic Red Teaming assessments essential to staying ahead of potential risks.
• External Expertise Enhances Security – Collaborating with security specialists, such as Secura and Midnight Blue, provides fresh perspectives and helps close security gaps that internal teams might overlook.

Next Steps

The findings in ABB’s systems serve as a reminder of the importance of proactive security efforts. Red Teaming is not just about finding flaws—it helps organizations build stronger defenses. Secura, in partnership with Midnight Blue, conducts advanced security assessments to uncover risks before attackers do.