ABB Relion 650 and 670 Series

Monitor5.3ICS-CERT ICSA-19-330-02Nov 26, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The ABB Relion 650 and 670 series protective relays contain an input validation flaw (CWE-20) in the SPA protocol handler that allows a remote attacker to craft a malicious packet to port 7001/TCP, causing an unhandled exception that reboots the device. The vulnerability results in a denial of service condition that temporarily disables the protection relay's ability to detect and respond to power system faults. No public exploits are known to exist, but the attack requires only network access and no authentication. Affected versions include Relion 650 v1.3.0.5 and earlier, and Relion 670 v1.2.3.18, v2.0.0.11, and v2.1.0.1 and earlier.

What this means

What could happen

An attacker could reboot the Relion 650/670 relay, causing a temporary loss of protection relay function and potential disruption to power system monitoring and control.

Who's at risk

Utilities operating ABB Relion 650 and 670 series protective relays should prioritize this. These relays are critical for power system protection on transmission and distribution networks. Any relay reboot causes a brief loss of protection coverage, which is particularly risky during fault conditions.

How it could be exploited

An attacker with network access to port 7001/TCP can send a specially crafted packet to the SPA protocol handler, triggering an unhandled exception that reboots the relay device. The attack requires no credentials or user interaction.

Prerequisites

Network access to port 7001/TCP on the Relion 650/670 relay
The SPA protocol must be enabled on the device (default in most configurations)

remotely exploitableno authentication requiredlow complexityaffects safety systemsno patch available for some versions

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

Relion 650 series:≤ 1.3.0.51.3.0.6

Relion 670 series:≤ 2.0.0.111.2.3.19

Relion 670 series:≤ 2.1.0.11.2.3.19

Relion 670 series:≤ 1.2.3.181.2.3.19

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDBlock incoming traffic to port 7001/TCP from outside the control network using firewall rules

WORKAROUNDDisable the SPA protocol over TCP/IP on Relion 650 series v1.3 if not required for operations

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Relion 650 series to version 1.3.0.6 or later

HOTFIXUpdate Relion 670 series to version 1.2.3.19 or later

HOTFIXUpdate Relion 670 series to version 2.0.0.12 or later

HOTFIXUpdate Relion 670 series to version 2.1.0.2 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate protection relays from direct external access and limit connections to authorized engineering workstations only

CVEs (1)

CVE-2019-18247

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/773baaf0-fecf-4cba-8a0f-b171ba3ea282