OTPulse
FeedAboutContact

ICSA-19-134-06 Siemens SINAMICS PERFECT HARMONY GH180 Fieldbus Network

Monitor7.5ICS-CERT ICSA-19-134-06May 14, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The Siemens SINAMICS PERFECT HARMONY GH180 drive with NXG I or NXG II control modules allows unauthenticated remote modification of fieldbus parameters. An attacker with network access to the fieldbus network can read or write drive parameters without credentials, potentially altering motor speed, torque limits, or other critical setpoints. The vulnerability affects all firmware versions with fieldbus options G21, G22, G23, G26, G28, G31, G32, G38, or G43.

What this means
What could happen
An attacker with network access to the fieldbus network can read or modify sensitive parameters on the SINAMICS drive, potentially altering motor speed setpoints, torque limits, or other critical operating parameters that could disrupt production or cause equipment damage.
Who's at risk
Water utilities, municipal electric systems, and industrial plants using Siemens SINAMICS PERFECT HARMONY GH180 drives for critical motor control in pumps, compressors, fans, or conveyor systems. Any facility where unauthorized changes to motor parameters could disrupt continuous operations or damage equipment.
How it could be exploited
An attacker with network connectivity to the fieldbus network can send commands to read or write fieldbus parameters on affected SINAMICS drives without requiring authentication. The attacker would use fieldbus protocol (likely PROFIBUS/PROFINET based on Siemens product line) to directly access parameter registers on the drive.
Prerequisites
  • Network access to the fieldbus network segment where the SINAMICS drives are connected
  • Knowledge of fieldbus protocol and target drive parameter structure
  • Ability to send custom fieldbus commands to the drive
remotely exploitableno authentication requiredlow complexityaffects critical motor controlno patch available for existing hardware
Exploitability
Low exploit probability (EPSS 0.8%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
SINAMICS PERFECT HARMONY GH180 with NXG I control, MLFBs: 6SR2...-,6SR2...-,: All Versions with option G21, G22, G23, G26, G28, G31, G32, G38, G43 orNo fix (EOL)
SINAMICS PERFECT HARMONY GH180 with NXG II control, MLFBs: 6SR2...-,6SR2...-,: All Versions with option G21, G22, G23, G26, G28, G31, G32, G38, G43 orNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/1
WORKAROUNDDisable fieldbus parameter read/write functionality on affected drives where operationally feasible
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to SINAMICS PERFECT HARMONY GH180 with NXGpro control (contact Siemens customer service for upgrade package and installation)
Mitigations - no patch available
0/3
The following products have reached End of Life with no planned fix: SINAMICS PERFECT HARMONY GH180 with NXG I control, MLFBs: 6SR2...-,, SINAMICS PERFECT HARMONY GH180 with NXG II control, MLFBs: 6SR2...-,. Apply the following compensating controls:
HARDENINGImplement network segmentation: isolate fieldbus network from business network with firewalls; place control system devices behind firewalls and restrict direct Internet access
HARDENINGApply cell protection concept with defense-in-depth security controls around the fieldbus network
HARDENINGFor any remote access requirements, deploy VPNs with current security updates and restrict access to authorized engineering workstations only
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/d3327dee-33da-4770-93f7-7829296311d2