GE D60 Line Distance Relay

Act Now9.8ICS-CERT ICSA-18-046-02Feb 15, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

GE D60 line distance relays running firmware version 7.11 or earlier contain buffer overflow vulnerabilities (CWE-121, CWE-119) that allow remote, unauthenticated code execution. The vulnerabilities have a CVSS score of 9.8 and are considered remotely exploitable with low skill requirement. An attacker could execute arbitrary code on the relay, potentially compromising protection logic or causing relay malfunction.

What this means

What could happen

An attacker on your network could remotely run arbitrary code on a D60 relay without any credentials, potentially causing false trip signals, preventing legitimate protection actions, or disrupting power distribution to critical equipment.

Who's at risk

Electric utilities operating GE D60 line distance relays in protection schemes. These devices are critical for detecting faults and triggering circuit breaker operations. Affected organizations should include any utility with feeders or transmission/distribution lines protected by D60 relays.

How it could be exploited

An attacker with network access to the D60 device (typically on your protection LAN or accessible via serial-to-Ethernet) can send a specially crafted network packet to exploit buffer overflow vulnerabilities (CWE-121, CWE-119) in the firmware. No authentication is required. The attacker gains code execution on the relay processor itself.

Prerequisites

Network connectivity to D60 device on port 502 (Modbus TCP) or equivalent protocol
D60 firmware version 7.11 or earlier
No authentication required

remotely exploitableno authentication requiredlow complexityhigh CVSS (9.8)affects safety-critical protection systemsbuffer overflow vulnerability

Exploitability

Moderate exploit probability (EPSS 4.5%)

Affected products (1)

ProductAffected VersionsFix Status

D60 devices running firmware:≤ 7.11> 7.11

Remediation & Mitigation

0/4

Do now

0/3

HOTFIXContact GE to obtain and apply firmware update for D60 devices. Coordinate with your operations team to schedule replacement or firmware upgrade during a maintenance window.

WORKAROUNDImmediately implement network segmentation: restrict access to D60 relays to only authorized engineering workstations and protection control systems using firewall rules on your protection LAN gateway.

HARDENINGDisable remote access to D60 devices if not operationally required. If remote access is necessary, restrict it to a bastion host or jump server with strong access controls and audit logging.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGImplement network monitoring to detect unusual access patterns to D60 devices (unexpected source IPs, unusual port access, connection attempts from non-engineering networks).

CVEs (2)

CVE-2018-5475 CVE-2018-5473

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a89faa6e-6135-41c8-8596-d72b87b70e5d