Siemens SWT3000

Monitor5.3ICS-CERT ICSA-17-334-01Nov 30, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Siemens SWT3000 device (TPOP and IEC 61850 firmware versions) contains vulnerabilities related to authentication bypass and input validation (CWE-287, CWE-288, CWE-20). An attacker on the network can bypass authentication mechanisms and access the device without valid credentials, potentially reading sensitive operational data. The device does not properly validate or encrypt communications, allowing remote access with low skill level. Siemens is providing updated firmware through the Customer Support Center.

What this means

What could happen

An attacker with network access to the SWT3000 could intercept and read sensitive data transmitted without encryption. This could expose operational data such as power flow readings, device configurations, or control parameters.

Who's at risk

Utilities operating Siemens SWT3000 devices (protection and control equipment) in power generation, transmission, or distribution networks are affected. This includes substations and power plants using TPOP or IEC 61850 firmware variants.

How it could be exploited

An attacker on the network can send requests directly to the SWT3000 device over the network without authentication. The device accepts and processes these requests, revealing information that should be protected.

Prerequisites

Network access to the SWT3000 device on port(s) used by TPOP or IEC 61850 firmware
No credentials required
Device must be deployed and operational

Remotely exploitableNo authentication requiredLow complexity attackNo patch available currentlyAffects critical power system equipment

Exploitability

Moderate exploit probability (EPSS 2.4%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

TPOP firmware: All< 01.01.00No fix (EOL)

IEC 61850 firmware: All< 4.29.01No fix (EOL)

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to SWT3000 devices using firewall rules or network segmentation to limit connections to authorized engineering and control stations only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Siemens Customer Support Center (support.energy@siemens.com) to obtain updated firmware and apply to affected TPOP and IEC 61850 systems

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: TPOP firmware: All, IEC 61850 firmware: All. Apply the following compensating controls:

HARDENINGReview and implement Siemens Operational Guidelines for Industrial Security to harden the operational environment

CVEs (5)

CVE-2016-4784 CVE-2016-4785 CVE-2016-7112 CVE-2016-7113 CVE-2016-7114

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/83a018c1-1e77-4896-bcda-986702de9eb4