OTPulse
FeedAboutContact

Siemens SIPROTEC Denial-of-Service Vulnerability

Act NowICS-CERT ICSA-15-202-01Apr 23, 2015
Summary

A denial-of-service vulnerability exists in Siemens SIPROTEC 4 and SIPROTEC Compact protection relay product families across all versions, as well as in the EN100 Ethernet module (version 4.24 and earlier). The vulnerability is triggered by specially crafted network packets (CWE-400: uncontrolled resource consumption) that cause the device to stop responding to commands. Affected devices are protection relays used to monitor and protect electrical equipment in substations and distribution networks. No firmware patch is planned by the vendor for either product line.

What this means
What could happen
An attacker could send malicious network packets to a SIPROTEC protection relay, causing it to stop responding to commands and cease monitoring the power grid. This could leave protected equipment unmonitored and unable to trigger protective actions during faults.
Who's at risk
This vulnerability affects all versions of Siemens SIPROTEC 4 and SIPROTEC Compact protection relays, which are widely deployed in electric utilities and substations for fault detection and protection of power distribution and transmission equipment. The EN100 Ethernet module (up to V4.24) used in these systems is also affected. Utilities using these devices for critical protection functions should prioritize mitigation.
How it could be exploited
An attacker with network access to the SIPROTEC device (typically port 502 for Modbus or proprietary Siemens ports) sends specially crafted packets that consume device resources, causing a denial of service. The device becomes unresponsive to legitimate protection commands and communication.
Prerequisites
  • Network access to the SIPROTEC device on its operational ports
  • No credentials required
Remotely exploitableNo authentication requiredHigh EPSS score (84.7%)No patch availableAffects critical protection systemsDenial of service impact on safety-critical operations
Exploitability
High exploit probability (EPSS 84.7%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
SIPROTEC 4 and SIPROTEC Compact product families: vers:all/*All versionsNo fix (EOL)
EN100 Ethernet module: <=V4.24≤ V4.24No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/4
HARDENINGImplement network segmentation and firewall rules to restrict access to SIPROTEC devices to only authorized engineering and monitoring systems
HARDENINGDisable or restrict access to unused ports and protocols on SIPROTEC devices
HARDENINGMonitor SIPROTEC devices for signs of denial-of-service attacks (sudden unresponsiveness, repeated connection attempts, unusual traffic patterns)
WORKAROUNDImplement rate limiting or input validation at network boundaries protecting SIPROTEC devices
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/ff8ef1d5-724b-48f7-ad93-a2bc042b68f4