ICSA-19-134-05 Siemens SINAMICS PERFECT HARMONY GH180 Drives NXG I and NXG II

MonitorCVSS 7.5ICS-CERT ICSA-19-134-05May 14, 2019

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SINAMICS PERFECT HARMONY GH180 drives with NXG I and NXG II controllers (all versions with G28 option) are vulnerable to a denial-of-service attack via the Ethernet Modbus interface. An attacker can send a flood of requests to the controller, exhausting system resources and causing the drive to become unresponsive. This prevents normal motor and pump control, effectively stopping any process dependent on the drive. The vulnerability requires only network access to the Modbus port and no authentication or user interaction.

What this means

What could happen

A remote attacker can crash the GH180 drive controller by overwhelming it with requests, causing loss of motor control and potential process shutdown at any facility relying on this equipment for critical motion control.

Who's at risk

Water and wastewater treatment plants, municipal electric utilities, and any facility using Siemens SINAMICS PERFECT HARMONY GH180 drives (model codes 6SR2, 6SR3, or 6SR4 with G28 option) for motor and pump control should assess their exposure. This affects any critical process relying on continuous motor operation.

How it could be exploited

An attacker with network access to the Ethernet Modbus interface on the drive can send a large number of crafted requests to exhaust system resources (CWE-400). The vulnerability requires no authentication and can be triggered remotely, causing the controller to become unresponsive and halting normal drive operation.

Prerequisites

Network reachability to the Ethernet Modbus interface port (typically Modbus TCP port 502)
No credentials or special configuration required
Drive must have the G28 option installed
Direct path to the drive controller (not protected by a firewall or protocol bridge)

Remotely exploitableNo authentication requiredLow complexity attackNo patch currently availableAffects motor control systems critical to operationsDefault configuration is vulnerable

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (2)

2 pending

ProductAffected VersionsFix Status

SINAMICS PERFECT HARMONY GH180 with NXG I control, MLFBs: 6SR2...-, 6SR3...-, 6SR4...-6SR2...-, 6SR3...-, 6SR4...-: All Versions with option G28No fix yet

SINAMICS PERFECT HARMONY GH180 with NXG II control, MLFBs: 6SR2...-,6SR3...-, 6SR4...-6SR2...-,6SR3...-, 6SR4...-: All Versions with option G28No fix yet

Remediation & Mitigation

0/6

Do now

0/4

WORKAROUNDInstall a protocol bridge between your network and the GH180 drives to isolate and restrict direct Ethernet Modbus connections

HARDENINGApply cell protection concept and implement defense-in-depth strategy to limit exposure of drive controllers

HARDENINGPlace all GH180 drives and controllers on a dedicated control network isolated from business networks via firewall rules

HARDENINGBlock inbound access to Modbus TCP port (502) from any untrusted network segments

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Siemens customer service to plan and schedule an upgrade to the NXGpro control replacement

Long-term hardening

0/1

HARDENINGIf remote access to drives is required, use VPN with strong authentication and keep VPN software updated

CVEs (1)

CVE-2019-6578

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0ecd5b8e-b4a4-4a59-a53f-c26808ead064

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.