1. Scope & Purpose
Purpose: This Vulnerability Scan Report documents the results of a Tenable Nessus Pro authenticated scan of MVEC's corporate IT network and a manual vulnerability review of OT/ICS assets using CISA ICS-CERT advisories and vendor security bulletins. It supports evaluation of C2M2 THREAT domain practices TVM-1 through TVM-3 and maps identified vulnerabilities to remediation priorities.
Scan Scope: IT scan covered 192.168.1.0/24 (corporate LAN), including all servers (SRV-001 through SRV-006), office workstations, and network devices accessible from the management VLAN. The OT network (10.0.10.0/24) was NOT scanned with active tools to avoid disruption to live grid operations; OT vulnerabilities are based on firmware version analysis and published ICS advisories.
Critical Note: MVEC has no existing vulnerability management program. This assessment represents the first structured vulnerability review ever performed. Scanning of the OT network has never been performed. No vulnerability tracking database or remediation workflow exists.
2. Vulnerability Summary
9
Critical
18
High
24
Medium
11
Low
7
Informational
69
Total Findings
4
Critical — IT
5
Critical — OT
0
Vuln Mgmt Program
0
Prior Scan History
0
Pen Tests (Ever)
3. Critical & High IT Vulnerabilities
| Finding ID | CVE / Advisory | CVSS | Severity | Affected Asset | Description | Remediation | Status |
|---|---|---|---|---|---|---|---|
| IT-V-001 | CVE-2020-1472 | 10.0 | Critical | SRV-003 (ACCTG) | ZeroLogon — Netlogon privilege escalation allows unauthenticated attacker to take over domain controller. Unpatched on Win 2012 R2 EOL host. | Patch unavailable (EOL); migrate OS to Win 2022 | Open |
| IT-V-002 | CVE-2017-0144 | 9.8 | Critical | SRV-003 (ACCTG) | EternalBlue — SMBv1 remote code execution. SMBv1 enabled on Win 2012 R2; exploitable from corporate LAN segment. | Disable SMBv1 immediately; migrate OS | Open |
| IT-V-003 | CVE-2021-34527 | 8.8 | Critical | SRV-001, SRV-003, SRV-005 | PrintNightmare — Windows Print Spooler RCE / LPE. Print Spooler service running and exposed on three servers; unpatched on SRV-003. | Apply cumulative patches; disable Print Spooler on servers where not needed | Partial |
| IT-V-004 | CVE-2021-26855 | 9.8 | Critical | M365 (Exchange Online) — on-prem hybrid connector | ProxyLogon — Exchange SSRF leading to RCE. Legacy on-prem hybrid Exchange connector not fully patched; exposed externally via port 443. | Retire on-prem hybrid connector; move fully to M365 Exchange Online | Open |
| IT-V-005 | CVE-2022-26134 | 9.8 | High | SRV-001 (FILESRV) | Confluence OGNL injection (if applicable); Nessus flagged outdated Java runtime (JRE 8u261) with multiple RCE-class vulnerabilities. | Update JRE to current LTS; review all Java-dependent applications | Open |
| IT-V-006 | Multiple (Win 10 21H2) | 8.1 avg | High | Field Laptops ×6 | Windows 10 21H2 (out of support Jan 2024); 6 field laptops not enrolled in RMM. Average of 14 unpatched High-severity CVEs per device based on OS version. | Enroll in RMM; enforce patch compliance; upgrade to Win 10 22H2 or Win 11 | Open |
| IT-V-007 | CVE-2023-20269 | 8.1 | High | NET-001/005 (Cisco ASA) | Cisco ASA SSL VPN unauthorized access vulnerability. ASA 9.16(4) is affected; no SmartNet contract to obtain patched IOS image. | Renew SmartNet and apply ASA 9.18(4); or replace firewall hardware | Open |
| IT-V-008 | CWE-521 / No CVE | — | High | All servers, SCADA HMI | Weak / no password policy enforcement. Local accounts on all servers have no enforced complexity, rotation, or lockout policy. No AD/LDAP. Nessus confirmed accounts with passwords ≥ 2 years unchanged. | Implement domain controller (AD) or enforce local password GPO; set 90-day rotation | Open |
| IT-V-009 | CVE-2022-30190 | 7.8 | High | Office endpoints (M365) | Follina — MSDT RCE via Office documents. Affects unpatched endpoints running Microsoft 365; some endpoints not fully current on M365 updates. | Apply Microsoft 365 July 2022 update on all endpoints; enforce M365 auto-update policy | Partial |
| IT-V-010 | No CVE — Config | — | High | Corp LAN — 192.168.1.0/24 | Layer-3 route exists between corporate LAN (192.168.1.0/24) and OT network (10.0.10.0/24). No stateful inspection or ACL enforced on this path. IT→OT traffic is unrestricted. | Implement dedicated OT firewall/DMZ; restrict IT-OT routing to specific monitored paths | Open |
4. Critical & High OT/ICS Vulnerabilities
Assessment Method: Active scanning of the OT network (10.0.10.0/24) was NOT performed. OT findings are based on firmware version review, published CISA ICS-CERT advisories (ICSAs), vendor security bulletins, and field interview with MVEC's SCADA Engineer (Dobrowski, March 12, 2025).
| Finding ID | Advisory / CVE | CVSS | Severity | Affected Asset | Description | Remediation | Status |
|---|---|---|---|---|---|---|---|
| OT-V-001 | ICSA-23-047-01 (GE e-terra) | 9.8 | Critical | OT-001 (GE e-terra SCADA) | GE e-terra platform EOL Dec 2021. Multiple unpatched vulnerabilities including unauthenticated API access and hardcoded service credentials. No patches available from GE. Platform is directly accessible from SCADA01 server on OT LAN. | Network isolation; disable unused services; plan SCADA platform migration (FY 2026) | Partially Mitigated |
| OT-V-002 | No CVE — Config Issue | 9.1 | Critical | OT-006 (SEL-351 — SS-02) | SEL-351 protective relay at Sub-Substation 02 is operating with factory default password ("OTTER"). Relay is accessible over DNP3 from SCADA system. Any operator with network access can modify protection settings, clear events, or disable relay functions. | Change default password immediately; document relay access credentials in credential vault | Open — CRITICAL |
| OT-V-003 | IEC 62351 gap — No CVE | 8.6 | Critical | All OT — DNP3 communications | DNP3 Secure Authentication v5 (SAv5) is NOT implemented on any MVEC OT device or SCADA master. All DNP3 sessions (SCADA↔RTU, SCADA↔relays) are unauthenticated. Susceptible to spoofing, replay, and man-in-the-middle attacks from OT network access. | Implement DNP3 SAv5 on SCADA master and RTUs; short-term: enforce strict OT network isolation | Open |
| OT-V-004 | ICSA-22-349-14 (GE D20MX) | 8.1 | Critical | OT-002, OT-003 (GE D20MX RTUs) | GE D20MX running firmware 2.12 is affected by ICSA-22-349-14 (improper authentication in web management interface). Allows unauthenticated configuration changes via HTTP port 80. FW 2.17 fixes this; current devices are 23 months behind. | Update D20MX firmware to 2.17; disable web management interface if update delayed | Update Scheduled Q3 2025 |
| OT-V-005 | No CVE — Architecture | 8.5 | Critical | OT Network — 10.0.10.0/24 | No IDS/IPS monitoring on OT network. No OT security monitoring tool (e.g., Claroty, Dragos, Nozomi) deployed. Anomalous traffic, unauthorized device connections, or active attacks on OT devices would go undetected. Combined with finding OT-V-003 (unauthenticated DNP3), attacker dwell time could be unlimited. | Deploy OT-safe passive monitoring (Claroty or Dragos); route OT syslog to SIEM | Open |
| OT-V-006 | No CVE — Config | 7.8 | High | OT-002, OT-003 (D20MX web mgmt) | HTTP web management interface (port 80) enabled on both D20MX RTUs. No TLS/HTTPS available. Management credentials transmitted in cleartext. Accessible from OT network segment without additional authentication. | Disable HTTP management port on both RTUs; use serial console for configuration | Open |
| OT-V-007 | ICSA-21-159-11 (SEL) | 7.5 | High | OT-004 (SEL-2414), OT-005 (SEL-351 SS-01) | SEL devices affected by ICSA-21-159-11 (improper neutralization of special characters in Telnet interface). Telnet enabled by default on older SEL firmware versions. Current FW R510 addresses this but Telnet should be explicitly disabled. | Verify Telnet is disabled on all SEL devices; upgrade to latest firmware | Review Pending |
| OT-V-008 | Always-on VPN — GE Grid | 7.2 | High | SCADA network — GE VPN tunnel | GE Grid Solutions maintains an always-on IPSec VPN tunnel to MVEC SCADA network (10.0.10.0/24). This tunnel is not monitored by MVEC and grants GE persistent remote access to OT assets. Lateral movement from GE's environment to MVEC OT is theoretically possible without MVEC visibility. | Convert to on-demand VPN with MVEC approval workflow; implement MFA for vendor access; log all sessions | Open |
5. Medium-Severity IT Findings (Selected)
| Finding ID | CVE / Issue | CVSS | Affected Asset(s) | Description | Status |
|---|---|---|---|---|---|
| IT-M-001 | CVE-2021-36942 | 7.5 | SRV-001 (FILESRV) | Windows LSA spoofing vulnerability (PetitPotam). Allows unauthenticated attacker to coerce NTLM authentication from Windows server. No patch applied on FILESRV. | Open |
| IT-M-002 | No CVE — Config | — | All servers | RDP (port 3389) exposed on all servers on corporate LAN without NLA enforcement. No IP restriction. Accessible from any LAN host. | Open |
| IT-M-003 | No CVE — Config | — | Cisco ASA (NET-001) | SNMP v2c enabled with community string "public" readable. Allows network topology enumeration from any LAN host. Should be restricted or upgraded to SNMPv3. | Open |
| IT-M-004 | No CVE — Config | — | Corp LAN | No network-level egress filtering. Any LAN host can initiate outbound connections to any internet destination on any port. Facilitates command-and-control (C2) beaconing by malware. | Open |
| IT-M-005 | No CVE — Config | — | Corp LAN | No DNS sinkholing or DNS-layer security (e.g., Cisco Umbrella, Cloudflare Gateway). DNS queries are forwarded directly to ISP resolver with no malicious domain blocking. | Open |
| IT-M-006 | No CVE — Process | — | All endpoints | No email security gateway (anti-phishing, anti-spoofing, sandboxing). M365 Defender basic included in license; advanced anti-phishing (Defender for Office P2) not licensed. | Open |
| IT-M-007 | No CVE — Config | — | SRV-003 (ACCTG) | SMB signing disabled. Allows potential NTLM relay attacks from LAN. SMB signing should be enforced via Group Policy. | Open |
6. Vulnerability Age & Remediation Velocity
| Finding ID | CVE Published | Days Exposed | Known Exploited (KEV) | MVEC Exposure Risk |
|---|---|---|---|---|
| IT-V-002 (EternalBlue) | Mar 2017 | 2,932 days | Yes — CISA KEV | Direct LAN exposure; WannaCry-class ransomware risk |
| IT-V-001 (ZeroLogon) | Aug 2020 | 1,672 days | Yes — CISA KEV | Exploited by nation-state actors targeting utilities |
| IT-V-004 (ProxyLogon) | Mar 2021 | 1,490 days | Yes — CISA KEV | Internet-facing hybrid Exchange connector |
| IT-V-003 (PrintNightmare) | Jun 2021 | 1,371 days | Yes — CISA KEV | Three servers; LAN exploitation possible |
| OT-V-002 (Default Password) | N/A — Config | Unknown (years) | N/A | Internal OT network; relay configuration manipulation risk |
CISA Known Exploited Vulnerabilities (KEV): MVEC has 4 confirmed CISA KEV catalog entries unpatched on production systems. CISA BOD 22-01 (applicable as best practice to critical infrastructure) requires KEV remediation within 14 days (critical) or 6 months (all others). MVEC has not remediated any KEV-listed vulnerabilities despite advisories dating back to 2017.
7. Penetration Testing & Red Team History
No Penetration Testing Has Ever Been Performed at MVEC. No red team, external network penetration test, social engineering assessment, or phishing simulation has ever been conducted. MVEC has no baseline for attacker TTPs, detection capability, or incident response effectiveness. The current vulnerability scan represents the first structured security assessment in MVEC's history.
| Assessment Type | Last Performed | Vendor | Scope | Finding |
|---|---|---|---|---|
| External Network Penetration Test | Never | N/A | N/A | Gap — Never Performed |
| Internal Network Penetration Test | Never | N/A | N/A | Gap — Never Performed |
| OT / ICS Security Assessment | Never | N/A | N/A | Gap — Never Performed |
| Phishing Simulation | Never | N/A | N/A | Gap — Never Performed |
| Vulnerability Scan (IT) | March 15, 2025 | TechPath (Nessus Pro) | 192.168.1.0/24 | First Scan — This Report |
| Vulnerability Scan (OT) | Never | N/A | N/A | Gap — Manual Review Only |
8. Threat Landscape Relevant to MVEC
| Threat Actor / Category | Relevance to MVEC | TTPs (MITRE ATT&CK) | MVEC Exposure | C2M2 Gap |
|---|---|---|---|---|
| Nation-State (ICS-targeted) | VOLTZITE / Sandworm — electric grid targeting; rural cooperatives are soft targets | T0862, T0817, T0883 (OT spearphishing, lateral movement to ICS) | High | No OT monitoring; unauthenticated DNP3; EOL SCADA |
| Ransomware Groups | Colonial Pipeline-style attack via IT→OT pivot; MVEC IT-OT segmentation gap enables this path | T1486 (Data Encrypted), T1190 (Exploit Public-Facing), T0817 | High | EternalBlue/ZeroLogon unpatched; no EDR; no backup isolation |
| Business Email Compromise (BEC) | MVEC processes ~$2.3M/month in member billing; BEC targeting financial transfers is a known rural co-op risk | T1566.002 (Spearphishing Link), T1078 (Valid Accounts) | High | No MFA; no anti-phishing; no email security gateway |
| Insider Threat | Small staff with broad access; no PAM; shared accounts; no behavioral monitoring | T1078, T0859 (Valid Accounts — ICS) | Medium | No PAM; shared SCADA_ADMIN account; no SIEM/UBA |
| Supply Chain / Vendor | TechPath always-on VPN + GE Grid always-on OT VPN; trust-but-don't-verify third-party access model | T0862, T1195 (Supply Chain Compromise) | Medium | No vendor session monitoring; always-on VPN uncontrolled |
9. C2M2 THREAT Domain — MIL Assessment
| Practice ID | Practice Description | MIL Rating | Rationale |
|---|---|---|---|
| TVM-1a | Perform vulnerability assessments for assets | MIL 0 | No vulnerability assessments were performed prior to this assessment. No recurring scan schedule exists. |
| TVM-1b | Monitor threat sources for new vulnerability information | MIL 0 | No staff monitors CISA KEV, ICS-CERT advisories, or vendor bulletins. No threat intel subscription in place. |
| TVM-1c | Remediate vulnerabilities based on risk | MIL 0 | No remediation program. 4 CISA KEV findings unaddressed for 1,400–2,900+ days. No vulnerability tracking database. |
| TVM-2a | Prioritize vulnerabilities for remediation based on mission impact | MIL 0 | No criticality-based prioritization framework exists. No CVSS or risk-based triage process. |
| TVM-2b | Perform penetration testing or red team exercises | MIL 0 | No penetration testing has ever been performed on IT or OT networks. |
| TVM-3a | Establish and implement a formal vulnerability management process | MIL 0 | No documented vulnerability management policy or procedure. No SIEM, IDS/IPS, or monitoring platform. |
| TVM-3b | Share threat intelligence with sector partners (E-ISAC) | MIL 0 | MVEC is not enrolled in E-ISAC or any threat intelligence sharing program. |
Overall THREAT Domain Rating: MIL 0. MVEC does not yet perform any of the seven THREAT domain practices at a repeatable level. This is the lowest possible rating and represents the highest C2M2 maturity gap of all domains assessed. All TVM practices are at MIL 0.
10. Prioritized Remediation Roadmap
| Priority | Action | Owner | Target Date | Est. Cost | Vuln(s) Addressed |
|---|---|---|---|---|---|
| P1 — 48 Hours | Change default password on SEL-351 relay at SS-02 | MVEC SCADA Eng. (Dobrowski) | Immediately | $0 | OT-V-002 |
| P1 — 14 Days | Disable SMBv1 on SRV-003 (ACCTG) and all endpoints | TechPath MSP | Apr 11, 2025 | Included in MSP SLA | IT-V-002 (EternalBlue) |
| P1 — 14 Days | Disable HTTP management port (port 80) on GE D20MX RTUs | MVEC SCADA Eng. + GE Grid | Apr 11, 2025 | $0 | OT-V-006 |
| P1 — 30 Days | Implement firewall ACL to block IT→OT unrestricted routing; segment OT VLAN | TechPath MSP | Apr 28, 2025 | $2,000 (labor) | IT-V-010, OT-V-005 |
| P1 — 30 Days | Convert GE Grid VPN from always-on to on-demand with MVEC approval workflow | IT Mgr (Harmon) + GE Grid | Apr 28, 2025 | $1,500 (config) | OT-V-008 |
| P2 — 60 Days | Complete OS migration SRV-003: Win 2012 R2 → Win 2022 (eliminates ZeroLogon, EternalBlue, PrintNightmare on EOL host) | TechPath MSP | May 28, 2025 | $4,200 | IT-V-001, IT-V-002, IT-V-003 |
| P2 — 60 Days | Enroll field laptops in TechPath RMM; deploy managed Defender; enforce Win 10 22H2 | TechPath MSP | May 28, 2025 | Included in MSP SLA | IT-V-006 |
| P2 — 90 Days | Subscribe to CISA KEV alerts and E-ISAC threat intelligence feed; assign monitoring responsibility | IT Mgr (Harmon) | Jun 2025 | $0 (free) | TVM-1b — MIL 0→1 |
| P2 — 90 Days | Retire on-prem Exchange hybrid connector; migrate to full M365 Exchange Online | TechPath MSP | Jun 2025 | $3,500 | IT-V-004 (ProxyLogon) |
| P3 — 120 Days | Implement vulnerability management program: recurring Nessus scans (monthly IT, quarterly manual OT review), tracking database, remediation SLAs | TechPath + IT Mgr | Jul 2025 | $6,000/yr (Nessus license) | TVM-1a, TVM-1c — MIL 0→1 |
| P3 — 180 Days | Deploy OT passive monitoring tool (Claroty CTD or Dragos Community Edition); route OT events to SIEM | TechPath + MVEC SCADA | Sep 2025 | $18,000–$35,000/yr | OT-V-005 — OT visibility |
| P3 — 180 Days | Commission first external network penetration test; include OT environment review | IT Mgr (Harmon) + Board | Sep 2025 | $15,000–$25,000 | TVM-2b — MIL 0→1 |
| Long-Term | Implement DNP3 SAv5 authentication on SCADA master and all RTUs/relays as part of SCADA platform migration | GM + Board + GE Grid | FY 2026–2027 | Bundled with SCADA migration | OT-V-003 |