ICSA-18-067-02_Siemens SIPROTEC 4, SIPROTEC Compact, and Reyrolle Devices using the EN100 Ethernet Communication Module Extension (Update B)
Plan Patch7.5ICS-CERT ICSA-18-067-02Mar 8, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Siemens EN100 Ethernet modules used in SIPROTEC 4, SIPROTEC Compact, and Reyrolle protective relays lack authentication on network commands. The modules accept unauthenticated configuration and control commands over the network, allowing unauthorized modification of relay settings and operation. The vulnerability affects all five communication protocol variants: PROFINET IO, IEC 104, DNP3, IEC 61850, and Modbus TCP. Protective relays are critical to substation protection and grid stability; unauthorized command execution could disrupt load shedding, breaker control, or other automated protective functions.
What this means
What could happen
An attacker with network access to the EN100 module could modify or corrupt the device configuration and operation, potentially disrupting protective relay functions and grid stability in substations.
Who's at risk
Substation operators and utilities using Siemens SIPROTEC protective relays, SIPROTEC Compact devices, or Reyrolle protection equipment equipped with EN100 Ethernet modules. All five protocol variants (PROFINET IO, IEC 104, DNP3, IEC 61850, and Modbus TCP) are affected. This impacts both transmission and distribution substations relying on these devices for grid protection.
How it could be exploited
An attacker on the network sends unauthenticated commands to the EN100 module's listening port. The module accepts and executes the commands without verifying the sender's identity or authorization, allowing the attacker to alter device settings or stop operations. No valid credentials or authentication are required.
Prerequisites
- Network access to the EN100 module's communication port (PROFINET, IEC 104, DNP3, IEC 61850, or Modbus TCP depending on variant)
- Device must be reachable from the attacker's network segment
Remotely exploitableNo authentication requiredLow complexityAffects safety-critical protective relaysNo patch available for PROFINET IO and Modbus TCP variantsDefault or weak security controls
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (5)
3 with fix2 EOL
ProductAffected VersionsFix Status
EN100 Ethernet module PROFINET IO variant: All versionsAll versionsNo fix (EOL)
EN100 Ethernet module IEC 61850 variant: All< 4.304.30
EN100 Ethernet module Modbus TCP variant: All versionsAll versionsNo fix (EOL)
EN100 Ethernet module DNP3 variant: All< 1.041.04
EN100 Ethernet module IEC 104 variant: All< 1.221.22
Remediation & Mitigation
0/6
Do now
0/3HARDENINGIsolate EN100 modules from the business network using firewalls or network segmentation
HARDENINGRestrict network access to EN100 modules to only authorized engineering and monitoring systems
WORKAROUNDFor PROFINET IO and Modbus TCP variants with no patch available, implement strict firewall rules to deny unauthorized access to the module ports
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpdate EN100 DNP3 variant to v1.04 and configure maintenance password
HOTFIXUpdate EN100 IEC 61850 variant to v4.30
HOTFIXUpdate EN100 IEC 104 variant to v1.22
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/bf9d2c11-a8bf-4852-9c16-df35f7c71f9d