OTPulse
FeedAboutContact

Siemens SIPROTEC 4 and SIPROTEC Compact

Monitor7.5ICS-CERT ICSA-20-042-12Feb 11, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

SIPROTEC 4 and SIPROTEC Compact relays equipped with EN100 Ethernet communication modules are vulnerable to a denial of service attack via malformed input (CWE-20). An attacker on the network can send specially crafted packets to the Ethernet module, causing the relay to become unresponsive. This disrupts protection coordination and potentially leaves critical power grid equipment unprotected if redundant schemes rely on communication between relays. Siemens states that no security updates are available. The company recommends implementing multi-level redundant protection schemes as part of grid resilience design, restricting network access via firewalls and segmentation, and protecting remote access with VPN.

What this means
What could happen
An attacker on the network can cause a denial of service against SIPROTEC protection relays, disrupting coordinated protection schemes that rely on communication between relays and potentially leaving critical power grid equipment unprotected.
Who's at risk
Power utilities and transmission system operators (TSOs) managing SIPROTEC protection relays with EN100 Ethernet modules should care. This affects critical protection equipment at substations that coordinates protective actions (tripping breakers, isolating faults) on power lines and transformers. Any utility using SIPROTEC relays for redundant or coordinated protection schemes is at risk.
How it could be exploited
An attacker with network access to the EN100 Ethernet module can send malformed packets that trigger a denial of service condition in the relay. This causes the relay to stop responding to protection commands or communication, breaking the redundant protection schemes that depend on multi-relay coordination.
Prerequisites
  • Network access to the EN100 Ethernet module on the SIPROTEC relay
  • Relay must be equipped with EN100 Ethernet communication module
  • No authentication required
Remotely exploitableNo authentication requiredLow complexityAffects safety-critical protection systemsNo patch available for all versionsCVSS 7.5 (high)
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (1)
ProductAffected VersionsFix Status
SIPROTEC 4 and SIPROTEC Compact relays equipped with EN100 Ethernet communication modules: All versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2
HARDENINGImplement network segmentation and firewall rules to restrict access to SIPROTEC relays, allowing only authorized engineering workstations and redundant protection devices to communicate on the relay network
HARDENINGDeploy VPN or encrypted tunnels for any remote engineering or monitoring access to SIPROTEC relays
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HARDENINGVerify that your power grid protection design includes multi-level redundant protection schemes (as required by most grid regulations) so that loss of one relay does not leave equipment unprotected
HARDENINGMonitor relay logs and network traffic to SIPROTEC devices for suspicious activity or unusual denial of service patterns
HOTFIXContact Siemens support to inquire about available firmware updates or patches for your specific SIPROTEC 4 or Compact relay models
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/d4aefd2b-1976-46d5-a0e4-c50d54817e9a
Siemens SIPROTEC 4 and SIPROTEC Compact | CVSS 7.5 - OTPulse