Hitachi Energy Relion 670/650/SAM600-IO

Plan Patch8.1ICS-CERT ICSA-21-336-05Nov 4, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

A vulnerability exists in Hitachi Energy Relion 670, Relion 650, and SAM600-IO series devices where an older version of VxWorks runs during the boot sequence before the main application firmware loads. An attacker with physical or front network port access who triggers a device reboot can exploit this brief window to execute code in the VxWorks bootloader, potentially causing denial-of-service or other impacts. The vulnerability affects versions: Relion 670 (2.2.0 through 2.2.4.2), Relion 650 (2.2.0 through 2.2.4.2), and SAM600-IO (2.2.1.0 through 2.2.1.6).

What this means

What could happen

An attacker with physical access to the device front port or the ability to cause a reboot could execute code during the boot process, resulting in denial-of-service that would disable the protection relay and stop power grid operations until the device recovers or is manually restored.

Who's at risk

Utilities operating Hitachi Energy protection relays (Relion 670, Relion 650, and SAM600-IO series) in substations and distributed generation facilities are affected. These are critical devices for power system protection and fault isolation. Plant operators and substations engineers should prioritize identification of affected devices.

How it could be exploited

An attacker must have direct access to the device's front network port and the ability to initiate a reboot sequence. During the brief boot window before the main firmware loads, the older VxWorks version becomes vulnerable to exploitation. The attacker could then execute malicious code to cause denial-of-service.

Prerequisites

Direct physical or network access to the device front port
Ability to trigger or control a device reboot
Device running one of the affected firmware versions

High CVSS score (8.1)Physical access required for exploitationAffects critical power protection systemsDenial-of-service impact to grid operationsRelion 650 version 2.2.0 to 2.2.1 (pre-2.2.1) has no patch available

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (5)

4 with fix1 pending

ProductAffected VersionsFix Status

Relion 670 series≥ 2.2.4.0, ≤ 2.2.4.2; ≥ 2.2.3.0, ≤ 2.2.3.3; ≥ 2.2.2.0, ≤ 2.2.2.4; ≥ 2.2.1.0, ≤ 2.2.1.6; ≥ 2.2.0, < 2.2.12.2.1.7 version or latest

Relion 650 series≥ 2.2.4.0, ≤ 2.2.4.22.2.4.3 version or latest

Relion 650 series≥ 2.2.1.0, ≤ 2.2.1.62.2.1.7 version or latest

Relion 650 series≥ 2.2.0, < 2.2.1No fix yet

SAM-IO series≥ 2.2.1.0, ≤ 2.2.1.62.2.1.7 version or latest

Remediation & Mitigation

0/8

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXRelion 670/650/SAM600-IO running version 2.2.1: Update to revision 2.2.1.7 or latest

HOTFIXRelion 670 running version 2.2.2: Update to revision 2.2.2.5 or latest

HOTFIXRelion 670 running version 2.2.3: Update to revision 2.2.3.4 or latest

HOTFIXRelion 670/650 running version 2.2.4: Update to revision 2.2.4.3 or latest

Long-term hardening

0/4

HARDENINGPhysically protect process control systems from direct access by unauthorized personnel

HARDENINGSeparate protection relays from other networks by means of a firewall system with minimal exposed ports

HARDENINGDo not directly connect devices to the Internet

HARDENINGScan portable computers and removable storage media for malware before connecting to control systems

CVEs (1)

CVE-2021-35535

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3547f960-7af4-41fe-9b62-a28a43ac7eb5