ICSA-18-317-01 Siemens IEC 61850 System Configurator, DIGSI 5, DIGSI 4, SICAM PAS/PQS, SICAM PQ Analyzer, and SICAM SCC

Monitor4.2ICS-CERT ICSA-18-317-01Jun 26, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

Siemens IEC 61850 system configurator and related products (DIGSI 5, DIGSI 4, SICAM PAS/PQS, SICAM PQ Analyzer, SICAM SCC) contain an improper access control vulnerability (CWE-284) that could allow an attacker to gain unauthorized access to sensitive functions. The vulnerability requires network access to specific ports (4884/TCP, 5885/TCP, or 5886/TCP), high attack complexity, user interaction, and high skill level to exploit. Impact is limited to confidentiality and integrity, with no availability impact.

What this means

What could happen

An attacker could gain unauthorized access to configuration or monitoring functions on affected grid automation and protection devices, potentially allowing them to view or modify system settings. However, this requires network access to the device, user interaction, and significant technical skill to exploit.

Who's at risk

Substation automation and grid protection engineers who deploy Siemens IEC 61850 system configurator, DIGSI (configuration tools for substations), or SICAM PAS/PQS/SCC (substation and power quality monitoring systems). Anyone managing medium-to-large substations or distribution automation systems using these Siemens products should assess their exposure.

How it could be exploited

An attacker must reach one of the vulnerable products over the network on ports 4884/TCP, 5885/TCP, or 5886/TCP and craft a request that exploits improper access control logic. User interaction is required for exploitation to succeed. The attacker does not need valid credentials but must have high technical capability to craft a working exploit.

Prerequisites

Network access to ports 4884/TCP, 5885/TCP, or 5886/TCP on the affected device
User interaction required for exploitation
High technical skill and detailed knowledge of the vulnerability needed
Device must be reachable from the attacker's network location

remotely exploitablehigh attack complexityrequires user interactionhigh skill level neededno known public exploitslow EPSS score (0.4%)

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

IEC 61850 system configurator<V5.80v5.80

DIGSI 4<V4.93v4.93

SICAM PAS/PQS<V8.11v8.11

SICAM PQ Analyzer<V3.11v3.11

SICAM SCC<V9.02 HF3v9.02_HF3

DIGSI 5 (affected as IEC 61850 system configurator is incorporated)<V7.80v5.80

Remediation & Mitigation

0/9

Do now

0/1

WORKAROUNDConfigure firewall rules to restrict access to ports 4884/TCP, 5885/TCP, and 5886/TCP to localhost or trusted engineering workstations only

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

IEC 61850 system configurator

HOTFIXUpdate IEC 61850 system configurator to version 5.80 or later

HOTFIXUpdate DIGSI 5 to version 7.80 or later, or uninstall IEC 61850 system configurator if upgrade is not feasible

DIGSI 4

HOTFIXUpdate DIGSI 4 to version 4.93 or later

SICAM PAS/PQS

HOTFIXUpdate SICAM PAS/PQS to version 8.11 or later

SICAM PQ Analyzer

HOTFIXUpdate SICAM PQ Analyzer to version 3.11 or later

SICAM SCC

HOTFIXUpdate SICAM SCC to version 9.02 HF3 or later

Long-term hardening

0/2

HARDENINGIsolate control system networks from the business network and the Internet; ensure affected devices are not directly internet-accessible

HARDENINGIf remote access is required, use a VPN or out-of-band management network and keep VPN software updated

CVEs (1)

CVE-2018-4858

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fd6845e2-0413-4d79-a53b-94e1c314c925