OTPulse
FeedAboutContact

Siemens Energy PLUSCONTROL 1st Gen

Monitor6.5ICS-CERT ICSA-21-068-08Mar 9, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

PLUSCONTROL 1st Gen secondary protection relay systems contain vulnerabilities (CWE-342) that allow unauthenticated remote modification of protective logic. An attacker can alter relay configurations or disable protection schemes without credentials, impacting grid fault detection and response. All versions are affected with no vendor fix planned. Siemens recommends applying defense-in-depth measures including network segmentation, multi-level redundant protection schemes, VPN access controls, and operational security hardening.

What this means
What could happen
An attacker could modify or disable protective relay logic in PLUSCONTROL 1st Gen devices, potentially causing incorrect fault detection or response that could lead to unplanned power outages or cascading failures in the grid.
Who's at risk
Transmission and distribution system operators (TSOs and DSOs), power utilities, and energy companies worldwide relying on PLUSCONTROL 1st Gen protective relays and secondary protection systems for grid reliability and fault detection.
How it could be exploited
An attacker with network access to the PLUSCONTROL 1st Gen device can send crafted commands to manipulate the secondary protection scheme logic without authentication, allowing them to alter relay setpoints or disable protective functions that are critical to grid stability.
Prerequisites
  • Network access to the PLUSCONTROL 1st Gen device
  • No authentication required
  • Device reachable from attacker's network segment
Remotely exploitableNo authentication requiredLow complexityNo patch availableAffects safety systems (grid protection)Actively exploited in some cases (EPSS 0.4%)
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (1)
ProductAffected VersionsFix Status
PLUSCONTROL 1st Gen: All versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2
HARDENINGImplement network segmentation and firewall rules to restrict access to PLUSCONTROL 1st Gen devices from untrusted networks
HARDENINGImplement VPN or secure tunneling for any remote access to PLUSCONTROL 1st Gen devices
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGConfigure devices according to Siemens operational security guidelines to run in a protected IT environment
Mitigations - no patch available
0/2
PLUSCONTROL 1st Gen: All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGDeploy multi-level redundant secondary protection schemes (grid-level resilience controls) to minimize impact if a single protection device is compromised
HARDENINGMonitor PLUSCONTROL 1st Gen devices for unauthorized configuration changes or relay logic modifications
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/1fb6b7bf-d942-4ed7-88ad-19b7c241330f
Siemens Energy PLUSCONTROL 1st Gen | CVSS 6.5 - OTPulse