"Vulnerability in Flow Computers Used by Major Oil & Gas Companies Around the World Can Allow Attackers to Remotely Control Oil or Gas Quantities and Modify Gas Bills"
The use of flow computers, which are specialized computers that calculate oil and gas volume and flow rates, is a critical component of the production and distribution of electric power. These devices monitor liquids or gases critical for process reliability and safety, and serve as inputs for other processes (i.e., alarms, records, and settings), so precision is essential. Billing is an important aspect of flow computers' function in a utility. ABB flow computers are critical due to their widespread use in large oil and gas utilities. However, they have flaws that can allow an attacker to interfere with measurements by remotely executing code on the target device. Because flow measurement calculations, specifically those involving gas flow, need a substantial amount of computing power, they are often handled by a low-power Central Processing Unit (CPU) rather than a microcontroller. Flow meters read raw data from connected sensors, which can measure the volume of material in various ways depending on what is being measured. Flow meters such as electromagnetic, vortex, differential pressure, thermal, coriolis, and others are examples. An investigation focused on ABB's FLO G5 flow computers. The FLO G5 is a single-board computer with a CPU, Ethernet, USB, and various IO interfaces. The CPU is an ARMv8 processor with a 32-bit architecture, and the device's operating system is Linux. The important thing to note is that the setup is done using a proprietary protocol developed by ABB called TotalFlow. Using this protocol on top of a serial or Ethernet (TCP) connection is possible. The TotalFlow protocol (TCP/9999) is used for most client-device communication, such as retrieving gas flow calculations, establishing and obtaining device settings, and importing and exporting configuration files. The flaw, tracked as CVE-2022-0902, has a CVSS vulnerability-severity score of 8.1 out of 10 and was recently fixed in an ABB firmware upgrade. This article continues to discuss the potential impact of the vulnerability in flow computers used by major oil and gas companies.