General Electric is fixing a bug in software used to control the flow of electricity in a utility's power systems after researchers found hackers could shut down parts of an electric grid.
The vulnerability could enable attackers to gain remote control of GE protection relays, allowing them to "disconnect sectors of the power grid at will," according to an abstract posted late last week on the Black Hat security conference website.
Protection relays are circuit breakers that utilities program to open and halt power transmission when dangerous conditions surface.
Interest in grid security has intensified amid the increased use of cyber weapons by nation states, including two high-profile cyber attacks in Ukraine that authorities in Kiev have blamed on Russia.
Three New York University security experts are scheduled to discuss the issue at the Las Vegas Black Hat hacking conference in July. They could not be reached immediately for comment.
GE is not aware of any cases in which hackers exploited the bug to cause power outages, said GE spokeswoman Annette Busateri. The bug only involves older GE protection relays introduced in the 1990s "before current industry expectations for security," she said.
"We have been in the process of issuing notifications and providing product upgrades to our affected customer base on available firmware updates to address this issue," she said.
GE has issued patches for five of six models affected by the vulnerability and will soon release a patch for the sixth model, Busateri said.
Michael Assante, former chief security officer with North American Electric Reliability, which regulates the North American grid, said the product was still widely deployed because the industry runs systems for decades before upgrading to new technologies.
"This is certainly a significant issue," he said.
Hackers caused power to go out in 2015 and 2016 attacks in Ukraine by using other techniques to force breakers to open, Assante said.