Siemens SIPROTEC 4 and SIPROTEC Compact Vulnerabilities

Monitor5.3ICS-CERT ICSA-16-250-01Jun 10, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The EN100 Ethernet module for SIPROTEC 4 and SIPROTEC Compact relays contains an information disclosure vulnerability. The module transmits sensitive configuration data, including protection settings and relay parameters, without encryption or authentication. An attacker on the network can passively capture or actively request this sensitive information to understand the protection scheme, system topology, and relay configuration details.

What this means

What could happen

An attacker with network access to the EN100 module could read sensitive configuration information from SIPROTEC relays, potentially exposing protection settings and system parameters that could be used to plan further attacks or disrupt power distribution operations.

Who's at risk

Electric utilities and power distribution operators using Siemens SIPROTEC 4 or SIPROTEC Compact protection relays with optional EN100 Ethernet modules. This affects distance relays, overcurrent relays, and other protection devices used in substations and generation facilities that rely on these modules for remote communication and settings management.

How it could be exploited

An attacker on the network sends unencrypted requests to the EN100 Ethernet module without authentication, receives sensitive configuration data in plaintext responses, and uses this information to map the protection relay settings and network topology.

Prerequisites

Network connectivity to the EN100 Ethernet module (port 502 or similar)
No authentication required
EN100 module installed on SIPROTEC 4 or SIPROTEC Compact relay

remotely exploitableno authentication requiredlow complexityaffects safety/protection systemsno patch available

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (1)

ProductAffected VersionsFix Status

EN100 Ethernet module (as optional for SIPROTEC 4 and SIPROTEC Compact): <V4.29<V4.29No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the EN100 module using firewall rules; allow only authorized engineering workstations and SCADA servers to communicate with the relay

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGDisable remote access to the EN100 module if not required for normal operations

Mitigations - no patch available

0/2

EN100 Ethernet module (as optional for SIPROTEC 4 and SIPROTEC Compact): <V4.29 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate SIPROTEC relays on a separate management network segment with strict access controls

HARDENINGImplement network segmentation between protection relays and corporate IT networks

CVEs (3)

CVE-2016-7112 CVE-2016-7113 CVE-2016-7114

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/df87b8e7-70c5-4465-9461-cf32bbee98a0