OTPulse
FeedAboutContact

Siemens SIPROTEC 4, SIPROTEC Compact, DIGSI 4, and EN100 Ethernet Module (Update D)

Plan Patch7.5ICS-CERT ICSA-18-067-01Mar 8, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

SIPROTEC 4 and SIPROTEC Compact protective relays, along with EN100 Ethernet communication modules, contain a vulnerability in their engineering authentication mechanism. The DIGSI 4 engineering software and associated EN100 modules use a weak password protection scheme that allows an attacker to reconstruct or overwrite access authorization passwords through specially crafted engineering protocol messages. An attacker with network access to the relay or module can extract the engineering password without providing valid credentials, then use that password to remotely reconfigure relay protection logic, modify setpoints, or disable the relay entirely. The vulnerability affects all versions of several relay models and all variants of some EN100 modules, with no firmware fix available for EN100 IEC 104, Modbus TCP, PROFINET IO variants, and legacy SIPROTEC 4 and Compact relays.

What this means
What could happen
An attacker with network access to a SIPROTEC relay or EN100 module could reconstruct or overwrite the engineering access password, allowing unauthorized remote configuration changes that could disable protective relays or alter power system protection settings.
Who's at risk
Electric utility substations and power distribution systems using Siemens SIPROTEC 4 or SIPROTEC Compact numerical protective relays, and EN100 Ethernet communication modules. Affected device types include distance relays (7SD80), overcurrent/earth fault relays (7SJ61/62/64/66/80), recloser controllers (7SK80), and EN100 modules used for DNP3, IEC 104, IEC 61850, Modbus TCP, and PROFINET IO protocols. Any utility relying on these relays for transmission or distribution system protection is impacted.
How it could be exploited
An attacker sends specially crafted DIGSI 4 engineering protocol packets over Ethernet to the relay or EN100 module. The vulnerable authentication mechanism allows the attacker to extract or reset the engineering password without providing valid credentials. Once the password is overwritten, the attacker can connect with DIGSI 4 software to reconfigure protection logic or disable relay functions.
Prerequisites
  • Network access to Ethernet port 502 (Modbus TCP) or the applicable IEC 104/61850/DNP3/PROFINET port on the SIPROTEC relay or EN100 module
  • DIGSI 4 engineering software available to the attacker (or ability to send raw DIGSI 4 protocol frames)
  • Target device must be running a vulnerable firmware version
remotely exploitablelow complexity attackno authentication required for password extractionaffects critical infrastructure protection systemsno patch available for EN100 IEC 104, Modbus TCP, and PROFINET variants
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (15)
10 with fix5 EOL
ProductAffected VersionsFix Status
DIGSI 4<V4.924.92
EN100 Ethernet module DNP3 variant<V1.05.001.05.00 and configure DIGSI 4 connection password
EN100 Ethernet module IEC 61850 variant<V4.304.30 and configure DIGSI 4 connection password
SIPROTEC 4 7SD80<V4.704.70
SIPROTEC 4 7SJ61<V4.964.96
SIPROTEC 4 7SJ62<V4.964.96
SIPROTEC 4 7SJ64<V4.964.96
SIPROTEC 4 7SJ66<V4.304.30
Remediation & Mitigation
0/12
Do now
0/1
DIGSI 4
WORKAROUNDConfigure a DIGSI 4 connection password on EN100 Ethernet modules (DNP3 and IEC 61850 variants) as a compensating control for versions that cannot be patched
Schedule — requires maintenance window
0/8

Patching may require device reboot — plan for process interruption

DIGSI 4
HOTFIXUpdate DIGSI 4 to version 4.92 or later
HOTFIXUpdate EN100 Ethernet module IEC 61850 variant to version 4.30 or later and configure a DIGSI 4 connection password
HOTFIXUpdate EN100 Ethernet module DNP3 variant to version 1.05.00 or later and configure a DIGSI 4 connection password
SIPROTEC 4 7SD80
HOTFIXUpdate SIPROTEC 4 7SD80 to version 4.70 or later
SIPROTEC 4 7SJ61
HOTFIXUpdate SIPROTEC 4 7SJ61, 7SJ62, and 7SJ64 to version 4.96 or later
SIPROTEC 4 7SJ66
HOTFIXUpdate SIPROTEC 4 7SJ66 to version 4.30 or later
SIPROTEC Compact 7SJ80
HOTFIXUpdate SIPROTEC Compact 7SJ80 to version 4.77 or later
SIPROTEC Compact 7SK80
HOTFIXUpdate SIPROTEC Compact 7SK80 to version 4.77 or later
Mitigations - no patch available
0/3
The following products have reached End of Life with no planned fix: EN100 Ethernet module IEC 104 variant, EN100 Ethernet module Modbus TCP variant, Other SIPROTEC 4 relays, Other SIPROTEC Compact relays, EN100 Ethernet module PROFINET IO variant. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate SIPROTEC relays and EN100 modules from untrusted network segments using firewalls or VLANs
HARDENINGRestrict engineering access to DIGSI 4 to designated engineering workstations on a protected management network
HARDENINGEnsure relay and EN100 module Ethernet ports are not directly reachable from the corporate IT network or the Internet
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/51ad38c6-bdf2-4c46-a952-9d86f691ebab