Hitachi Energy RTU500 series BCI

Plan Patch7.5ICS-CERT ICSA-21-336-04Dec 2, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Hitachi Energy RTU500 series CMU (Communication Management Unit) contains a flaw in IEC 60870-5-104 message validation. An attacker can send a malformed IEC 60870-5-104 protocol message that causes the device to reboot. The vulnerability affects all versions of RTU500 series CMU firmware. IEC 60870-5-104 is disabled by default, so devices are only at risk if this protocol was explicitly enabled for SCADA master-to-RTU communication.

What this means

What could happen

A remote attacker can reboot the RTU500 device, causing loss of communication with remote sites and disruption to energy distribution monitoring and control until the device automatically recovers.

Who's at risk

Energy utilities operating Hitachi Energy RTU500 series Remote Terminal Units for SCADA communication and monitoring. This affects any RTU500 that has the IEC 60870-5-104 interface enabled (which is disabled by default). If your facility uses RTU500 devices for remote substation monitoring or feeder control, you should verify whether this protocol is in use.

How it could be exploited

An attacker on the network sends a specially crafted IEC 60870-5-104 message to the RTU500's BCI (Broad Communication Interface) port. The device fails to properly validate the message and crashes, forcing a reboot. This requires network access to the device but no credentials or user interaction.

Prerequisites

Network access to RTU500 device on the IEC 60870-5-104 port (typically port 2404/TCP)
BCI IEC 60870-5-104 must be enabled on the device (disabled by default, so only affects devices where it was explicitly turned on)

remotely exploitableno authentication requiredlow complexityaffects SCADA/energy operationsonly affects devices with non-default configuration

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

RTU500 series CMU FirmwareAll versions12.6.5.0

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable BCI IEC 60870-5-104 function if it is not required for your operations

HARDENINGImplement firewall rules to restrict network access to RTU500 devices; only allow connections from authorized master stations or engineering workstations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RTU500 series CMU Firmware to version 12.6.5.0 or later (e.g., 12.7.x, 13.2.x or later)

Long-term hardening

0/1

HARDENINGEnsure RTU500 devices are on a dedicated process control network, physically separated from the Internet and corporate networks

CVEs (1)

CVE-2021-35533

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/48f38bb3-c441-4944-9352-4be0ce2747d7