PSI GridConnect Telecontrol

Plan Patch8.5ICS-CERT ICSA-19-059-01Feb 28, 2019

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

PSI GridConnect telecontrol devices contain a cross-site scripting (XSS) vulnerability in the web interface that allows authenticated attackers to inject and execute dynamic scripts. Successful exploitation could allow an attacker to perform actions in the context of logged-in operators or view sensitive configuration data. The vulnerability affects Smart Telecontrol Unit TCG, IEC104 Security Proxy, and Telecontrol Gateway models (VM, 3G, XS-MU). Older product versions (4.2.x and 5.0.x) are no longer supported and will not receive patches.

What this means

What could happen

An attacker with network access and valid credentials could inject malicious scripts into the web interface, allowing them to modify operator commands or view sensitive configuration data through cross-site scripting attacks.

Who's at risk

Energy sector organizations operating PSI GridConnect telecontrol equipment for SCADA/EMS systems, including utilities managing generation, transmission, or distribution assets. Affected devices include Smart Telecontrol Unit TCG, Telecontrol Gateways (VM, 3G, XS-MU models), and IEC104 Security Proxies used for grid management and remote device control.

How it could be exploited

An attacker with login credentials to the PSI GridConnect device's web interface can inject scripts into input fields. When operators view the affected page, the malicious script runs in their browser, potentially allowing the attacker to capture additional credentials or commands that alter grid operations.

Prerequisites

Network access to the device's web interface (TCP port 80 or 443)
Valid login credentials for the web interface

Requires valid credentials but credential compromise is possibleRemotely exploitable if web interface is Internet-accessibleCWE-79 cross-site scripting can lead to command injection in grid operationsNo patch available for older product lines (4.2.x, 5.0.x)High CVSS score (8.5)Could affect critical energy infrastructure

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

Smart Telecontrol Unit TCG:≤ 5.0.27 | ≤ 5.1.19 | ≤ 6.0.165.1.20 or 6.0.17

IEC104 Security Proxy:≤ 2.2.102.2.11

Telecontrol Gateway 3G:≤ 4.2.21 | ≤ 5.0.27 | ≤ 5.1.19 | ≤ 6.0.165.1.20 or 6.0.17

Telecontrol Gateway XS-MU:≤ 4.2.21 | ≤ 5.0.27 | ≤ 5.1.19 | ≤ 6.0.165.1.20 or 6.0.17

Telecontrol Gateway VM:≤ 4.2.21 | ≤ 5.0.27 | ≤ 5.1.19 | ≤ 6.0.165.1.20 or 6.0.17

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDeactivate the web server via CLI if the web interface is not required for device configuration

HARDENINGRestrict network access to the device web interface: place devices behind firewalls, isolate from business network, and disable Internet-facing access

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate affected devices to patched versions: TCG to 5.1.20 or 6.0.17, IEC104 Security Proxy to 2.2.11, or Telecontrol Gateway devices to 5.1.20 or 6.0.17

HARDENINGEnforce strong authentication and limit web interface access to authorized engineering workstations only

CVEs (1)

CVE-2019-6528

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/142cfe4f-44ae-4668-abb9-f5a8ffd666e8