ICSA-18-067-02_Siemens SIPROTEC 4, SIPROTEC Compact, and Reyrolle Devices using the EN100 Ethernet Communication Module Extension (Update B)

Plan PatchCVSS 7.5ICS-CERT ICSA-18-067-02Mar 8, 2018

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens EN100 Ethernet modules used in SIPROTEC 4, SIPROTEC Compact, and Reyrolle protective relays lack authentication on network commands. The modules accept unauthenticated configuration and control commands over the network, allowing unauthorized modification of relay settings and operation. The vulnerability affects all five communication protocol variants: PROFINET IO, IEC 104, DNP3, IEC 61850, and Modbus TCP. Protective relays are critical to substation protection and grid stability; unauthorized command execution could disrupt load shedding, breaker control, or other automated protective functions.

What this means

What could happen

An attacker with network access to the EN100 module could modify or corrupt the device configuration and operation, potentially disrupting protective relay functions and grid stability in substations.

Who's at risk

Substation operators and utilities using Siemens SIPROTEC protective relays, SIPROTEC Compact devices, or Reyrolle protection equipment equipped with EN100 Ethernet modules. All five protocol variants (PROFINET IO, IEC 104, DNP3, IEC 61850, and Modbus TCP) are affected. This impacts both transmission and distribution substations relying on these devices for grid protection.

How it could be exploited

An attacker on the network sends unauthenticated commands to the EN100 module's listening port. The module accepts and executes the commands without verifying the sender's identity or authorization, allowing the attacker to alter device settings or stop operations. No valid credentials or authentication are required.

Prerequisites

Network access to the EN100 module's communication port (PROFINET, IEC 104, DNP3, IEC 61850, or Modbus TCP depending on variant)
Device must be reachable from the attacker's network segment

Remotely exploitableNo authentication requiredLow complexityAffects safety-critical protective relaysNo patch available for PROFINET IO and Modbus TCP variantsDefault or weak security controls

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (5)

3 with fix2 EOL

ProductAffected VersionsFix Status

EN100 Ethernet module PROFINET IO variant: All versionsAll versionsNo fix (EOL)

EN100 Ethernet module IEC 61850 variant: All< 4.304.30

EN100 Ethernet module Modbus TCP variant: All versionsAll versionsNo fix (EOL)

EN100 Ethernet module DNP3 variant: All< 1.041.04

EN100 Ethernet module IEC 104 variant: All< 1.221.22

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGIsolate EN100 modules from the business network using firewalls or network segmentation

HARDENINGRestrict network access to EN100 modules to only authorized engineering and monitoring systems

WORKAROUNDFor PROFINET IO and Modbus TCP variants with no patch available, implement strict firewall rules to deny unauthorized access to the module ports

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EN100 DNP3 variant to v1.04 and configure maintenance password

HOTFIXUpdate EN100 IEC 61850 variant to v4.30

HOTFIXUpdate EN100 IEC 104 variant to v1.22

CVEs (1)

CVE-2018-4838

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bf9d2c11-a8bf-4852-9c16-df35f7c71f9d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.