GE Vernova released security notice GES-2025-001 addressing a privilege escalation vulnerability I discovered in their MiCOM S1 Agile Engineering ToolSuite software. This vulnerability could allow attackers to gain Administrator privileges on workstations running the affected software, potentially compromising critical power grid automation systems.

What is the MiCOM S1 Agile Vulnerability?

The vulnerability affects the MiCOM S1 Agile Engineering ToolSuite, used for configuring MiCOM P40 Agile protection relays – critical components in power grid automation systems. The issue stems from improper file permissions that allow an attacker to replace legitimate executable files with malicious ones.

Key vulnerability details:

• Affected Software: MiCOM S1 Agile Engineering ToolSuite
• Vulnerable Versions: All versions prior to 3.1.1
• Attack Vector: Local file replacement leading to privilege escalation
• Impact: Administrator privileges on the workstation
• Prerequisites: Basic user access to the target workstation

How Does the Attack Work?

The vulnerability exploits a weakness in how S1 Agile manages file permissions. An attacker with basic user privileges can replace a legitimate executable file in the S1 Agile application folders with a malicious executable. When the computer restarts, the malicious code executes with Administrator privileges, potentially giving complete control over the workstation.

Important Note: While this vulnerability can compromise the workstation, GE Vernova emphasizes that the configured Industrial Electronic Devices (IEDs) themselves remain unaffected.

Why This Matters for Critical Infrastructure

The MiCOM P40 Agile relays are deployed in critical power systems including utility substations, industrial power distribution, and grid automation. A compromised engineering workstation could potentially allow unauthorized access to relay configurations, manipulation of protection settings, and provide a foothold for lateral movement within industrial networks.

The Responsible Disclosure Process

I discovered this vulnerability during security research and followed responsible disclosure practices by reporting it to GE Vernova’s Product Security Incident Response Team (PSIRT). GE Vernova acknowledged the responsible disclosure in their security notice: “GE Vernova thanks Charit Misra from DNV, Netherlands for responsibly disclosing the vulnerabilities in our product to our PSIRT team.”

How to Protect Your Systems

Immediate Action: Upgrade to Version 3.1.1

The most effective mitigation is upgrading to MiCOM S1 Agile version 3.1.1, released in January 2025. This version ensures only privileged users can access S1 Agile application folders, preventing unauthorized file modifications.

Workarounds for Systems That Cannot Be Immediately Updated

1. Workstation Hardening

• Implement strong access controls on workstations running S1 Agile
• Restrict remote access capabilities
• Use principle of least privilege for user accounts

2. Network Segmentation

• Isolate engineering workstations from general corporate networks
• Use firewalls to control traffic to engineering workstations

3. Physical Security

• Secure physical access to workstations running S1 Agile
• Monitor access to control rooms and engineering stations

Best Practices for Industrial Cybersecurity

This vulnerability highlights key cybersecurity principles:

Defense in Depth: Multiple security layers help prevent successful attacks even if one layer is compromised.

Regular Updates: Keep industrial software updated while balancing operational requirements.

Network Segmentation: Isolate engineering workstations from corporate networks to reduce attack surfaces.

Access Control: Implement strict user access controls and monitoring to prevent unauthorized modifications.

Conclusion

The GE Vernova MiCOM S1 Agile privilege escalation vulnerability demonstrates the importance of security research in industrial control systems. Organizations using MiCOM S1 Agile should prioritize upgrading to version 3.1.1 and implementing recommended security controls.

---

This blog post is based on publicly available information from GE Vernova security notice GES-2025-001.