OTPulse

Schweitzer Engineering Laboratories, Inc. SEL-3620 and SEL-3622

MonitorCVSS 7.2ICS-CERT ICSA-17-192-06Jul 11, 2017
Schweitzer Engineering
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

SEL-3620 and SEL-3622 Security Gateways (R202, R203, R204 models) contain an improper access control vulnerability (CWE-284) that allows an unauthenticated remote attacker to read sensitive information from the device, including network credentials, access keys, and configuration data. The vulnerability has a CVSS score of 7.2 (High) and requires only network access with no authentication or user interaction. Affected devices act as security boundaries between enterprise networks and control system networks, so compromise could expose credentials used to access downstream protective relays, RTUs, and other critical equipment.

What this means
What could happen
An unauthenticated attacker with network access to a SEL Security Gateway could read sensitive information like network credentials or access keys from the device, potentially allowing them to pivot to other control system assets or disable security monitoring.
Who's at risk
Power utilities and critical infrastructure operators using SEL-3620 or SEL-3622 Security Gateways (models R202, R203, R204 and variants) as network edge protection and access control devices. These gateways protect SCADA systems, protective relays, and other control devices from unauthorized access.
How it could be exploited
An attacker connects to the SEL Security Gateway over the network without credentials and sends a crafted request that bypasses access controls (CWE-284, Improper Access Control). The device responds with sensitive data or allows unauthorized configuration changes, which could expose credentials or allow the attacker to reconfigure gateway rules.
Prerequisites
  • Network access to the SEL Security Gateway from the internet or internal network
  • No authentication required
  • Device configured with default or weak access controls
Remotely exploitableNo authentication requiredLow complexity attackNo patch availableAffects access control systems that protect critical infrastructure
Exploitability
Unlikely to be exploited — EPSS score 0.5%
Affected products (3)
1 pending2 EOL
ProductAffected VersionsFix Status
Security Gateway:R202No fix yet
Security Gateway: R204 R204-V1R204 | R204-V1No fix (EOL)
Security Gateway: R203 R203-V1 R203-V2R203 | R203-V1 | R203-V2No fix (EOL)
Remediation & Mitigation
0/3
Do now
0/2
HARDENINGImplement network segmentation and firewall rules to restrict direct network access to SEL Security Gateways from untrusted networks
WORKAROUNDContact Schweitzer Engineering Labs to confirm if product-specific mitigations or internal patches are available
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor SEL Security Gateway access logs for unexpected connection attempts or configuration changes
View full CISA ICS-CERT advisory
API: /api/v1/advisories/5c064b31-0d99-4cfe-ae0d-e470316114cd

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.