OTPulse

Siemens Energy PLUSCONTROL 1st Gen

MonitorCVSS 6.5ICS-CERT ICSA-21-068-08Feb 9, 2021
SiemensEnergy
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

PLUSCONTROL 1st Gen secondary protection relay systems contain vulnerabilities (CWE-342) that allow unauthenticated remote modification of protective logic. An attacker can alter relay configurations or disable protection schemes without credentials, impacting grid fault detection and response. All versions are affected with no vendor fix planned. Siemens recommends applying defense-in-depth measures including network segmentation, multi-level redundant protection schemes, VPN access controls, and operational security hardening.

What this means
What could happen
An attacker could modify or disable protective relay logic in PLUSCONTROL 1st Gen devices, potentially causing incorrect fault detection or response that could lead to unplanned power outages or cascading failures in the grid.
Who's at risk
Transmission and distribution system operators (TSOs and DSOs), power utilities, and energy companies worldwide relying on PLUSCONTROL 1st Gen protective relays and secondary protection systems for grid reliability and fault detection.
How it could be exploited
An attacker with network access to the PLUSCONTROL 1st Gen device can send crafted commands to manipulate the secondary protection scheme logic without authentication, allowing them to alter relay setpoints or disable protective functions that are critical to grid stability.
Prerequisites
  • Network access to the PLUSCONTROL 1st Gen device
  • No authentication required
  • Device reachable from attacker's network segment
Remotely exploitableNo authentication requiredLow complexityNo patch availableAffects safety systems (grid protection)Actively exploited in some cases (EPSS 0.4%)
Exploitability
Unlikely to be exploited — EPSS score 0.4%
Affected products (7)
4 with fix3 EOL
ProductAffected VersionsFix Status
APOGEE PXC Series (BACnet)< V3.5.53.5.5
APOGEE PXC Series (P2 Ethernet)< V2.8.202.8.20
TALON TC Series (BACnet)< V3.5.53.5.5
Nucleus ReadyStart V3< V2012.122012.12
Nucleus NET< V5.2No fix (EOL)
Nucleus Source CodeAll versionsNo fix (EOL)
PLUSCONTROL 1st Gen: All versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2
HARDENINGImplement network segmentation and firewall rules to restrict access to PLUSCONTROL 1st Gen devices from untrusted networks
HARDENINGImplement VPN or secure tunneling for any remote access to PLUSCONTROL 1st Gen devices
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGConfigure devices according to Siemens operational security guidelines to run in a protected IT environment
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: Nucleus NET, Nucleus Source Code, PLUSCONTROL 1st Gen: All versions. Apply the following compensating controls:
HARDENINGDeploy multi-level redundant secondary protection schemes (grid-level resilience controls) to minimize impact if a single protection device is compromised
HARDENINGMonitor PLUSCONTROL 1st Gen devices for unauthorized configuration changes or relay logic modifications
View full CISA ICS-CERT advisory
API: /api/v1/advisories/1fb6b7bf-d942-4ed7-88ad-19b7c241330f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Siemens Energy PLUSCONTROL 1st Gen | CVSS 6.5 - OTPulse