ICSA-19-043-02 Siemens EN100 Ethernet Communication Module and SIPROTEC 5 Relays

MonitorCVSS 7.5ICS-CERT ICSA-19-043-02Feb 12, 2019

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The EN100 Ethernet Communication Module and SIPROTEC 5 relays contain an improper input validation flaw in their network protocol handlers (IEC 61850, MODBUS TCP, DNP3 TCP, IEC 60870-5-104, and PROFINET IO). A malformed packet sent to the device on its configured protocol port can crash the Ethernet communication module, causing loss of communication and protection relay function. The vulnerability affects firmware versions before V4.35 for EN100 (IEC 61850 variant), all firmware versions of EN100 (MODBUS TCP, DNP3 TCP, IEC 104, and PROFINET IO variants), and SIPROTEC 5 relays with CP300/CP100 before V7.82 and CP200 before V7.58.

What this means

What could happen

An attacker on the network could send a malformed packet to crash the EN100 Ethernet module or SIPROTEC 5 relay, causing the protection device to go offline and leaving the power grid or critical infrastructure unprotected.

Who's at risk

Operators of electrical substations, generation facilities, and power distribution networks using Siemens SIPROTEC 5 protective relays (which depend on EN100 Ethernet communication modules to send trip signals) should assess whether their devices are affected. Any protection relay model using CP100, CP200, or CP300 CPU cards is at risk.

How it could be exploited

An attacker with network access to port 102 (IEC 61850), 502 (MODBUS TCP), 20000 (DNP3 TCP), 2404 (IEC 60870-5-104), or 34962 (PROFINET) can send a crafted packet that violates input validation checks, causing the communication module to crash and stop relaying protection signals.

Prerequisites

Network access to the EN100 Ethernet module or SIPROTEC 5 relay on the configured protocol port
Device must be deployed and in-service on the network
No authentication or credentials required to send the malformed packet

remotely exploitableno authentication requiredlow complexity attackaffects safety and protection systemsavailability impact via denial of service

Exploitability

Unlikely to be exploited — EPSS score 0.5%

Affected products (7)

7 pending

ProductAffected VersionsFix Status

Firmware variant IEC 61850 for EN100 Ethernet module<V4.35No fix yet

Firmware variant MODBUS TCP for EN100 Ethernet moduleAll versionsNo fix yet

Firmware variant DNP3 TCP for EN100 Ethernet moduleAll versionsNo fix yet

Firmware variant IEC104 for EN100 Ethernet moduleAll versionsNo fix yet

Firmware variant Profinet IO for EN100 Ethernet moduleAll versionsNo fix yet

SIPROTEC 5 relays with CPU variants CP300 and CP100 and the respective<V7.82No fix yet

SIPROTEC 5 relays with CPU variants CP200 and the respective Ethernet<V7.58No fix yet

Remediation & Mitigation

0/5

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EN100 Ethernet module firmware to V4.35 or later

HOTFIXUpdate SIPROTEC 5 CP300/CP100 Ethernet communication modules to firmware V7.82 or later

HOTFIXUpdate SIPROTEC 5 CP200 Ethernet communication modules to firmware V7.58 or later

Long-term hardening

0/2

HARDENINGIsolate EN100 Ethernet modules and SIPROTEC 5 relays to a protected network segment behind a firewall; restrict access to management and protocol ports from untrusted networks

HARDENINGMonitor network traffic to these devices for malformed or unexpected packets on protocol ports

CVEs (1)

CVE-2018-16563

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/79489dca-67c6-45be-ab85-31eb6d9a661d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.