Hitachi Energy PCM600 Update Manager

MonitorCVSS 6.7ICS-CERT ICSA-21-336-07Dec 2, 2021

Hitachi EnergyEnergy

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityHigh

User InteractionRequired

Summary

PCM600 Update Manager contains a certificate validation vulnerability (CWE-295) that allows an attacker with local access and valid user credentials to bypass software package authentication. Successful exploitation could allow installation of untrusted software packages on connected power system relays and protection devices. The attack requires high complexity and user interaction—specifically tricking a user into clicking a malicious link or opening an unsolicited attachment. The vulnerability is not remotely exploitable.

What this means

What could happen

An attacker with local access and user credentials could bypass certificate validation in the Update Manager and install malicious or untrusted software, potentially compromising power grid relays and associated control systems.

Who's at risk

Power utilities and energy sector operators who use Hitachi Energy PCM600 Update Manager to manage firmware and software for power system relays and protection devices. Affects versions 2.1 through 2.4.20119.2.

How it could be exploited

An attacker must have local access to a machine running PCM600 Update Manager, valid user credentials, and must trick a user into clicking a malicious link or opening an attachment. This bypasses certificate validation, allowing installation of an untrusted software package to the connected relay hardware.

Prerequisites

Local access to the machine running PCM600 Update Manager
Valid user credentials on that machine
User must click a malicious link or open an unsolicited attachment
High attack complexity (requires specific conditions)

local access requireduser interaction requiredhigh attack complexitycertificate validation bypassaffects energy/power grid equipmentno known public exploits

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

PCM600 Update Manager:2.1 | 2.1.0.4 | 2.2 2.2.0.1 | 2.2.0.2 | 2.2.0.23 | 2.3.0.60 | 2.4.20041.1 |2.4.20119.22.4.21218.1

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGEnforce least-privilege principle for user accounts on machines running Update Manager

HARDENINGEducate users not to click web links or open unsolicited attachments in email

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PCM600 Update Manager to version 2.4.21218.1 or later

Long-term hardening

0/1

HARDENINGIsolate Update Manager machines on a separate engineering network segment with restricted access

CVEs (1)

CVE-2021-22278

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ece2e281-2ca8-45b9-bdcf-b24fbfeda89a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.