Hitachi Energy GMS600, PWC600, and Relion

Plan PatchCVSS 7.2ICS-CERT ICSA-21-343-01Dec 9, 2021

Hitachi EnergyEnergy

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Improper access control in Hitachi Energy GMS600, PWC600, and Relion relay series allows users with high-level privileges to access unauthorized functions and information on the device. The vulnerability exists in multiple versions of Relion 670/650 series (versions 2.0, 2.1, 2.2.0–2.2.3.4, 2.2.4, 2.2.5–2.2.5.1), PWC600 (versions 1.0.1.0, 1.0.1.1, 1.0.1.3, and others), GMS600 (versions 1.2.0, 1.3.0, 1.3.1.0), and Relion 650 series (versions 1.0, 1.1, 1.2, 1.3). Hitachi Energy has released firmware updates that address this vulnerability. The vulnerability has a CVSS score of 7.2 (high) but is not currently known to be actively exploited.

What this means

What could happen

An attacker with high-level privileges (such as an administrator or engineer) could gain unauthorized access to protection relays and gateway devices in electrical substations, potentially allowing them to modify relay settings, alter protective logic, or trigger false alarms that could disrupt power distribution.

Who's at risk

This affects electric utilities and power distribution operators who use Hitachi Energy protection relays and gateways: Relion 670/650 series IEDs (intelligent electronic devices), PWC600 power system gateways, GMS600 communications gateways, and SAM600-IO modules. Any organization managing electrical substations with these devices should evaluate their installed versions against the list of affected versions.

How it could be exploited

An attacker with administrative credentials or high privileges could bypass permission controls on Hitachi Energy Relion, GMS600, or PWC600 devices to gain unauthorized access to device configuration and operational parameters. The attacker would need to be on the same network segment or reach the device via its management interface.

Prerequisites

High-level user privileges (administrator or engineer account)
Network access to the affected device's management interface
Access to the device locally or via the substation network

High privileges required for exploitationRemotely exploitable if device is network-reachableAffects critical power distribution equipmentCWE-284: Improper Access ControlLow EPSS score but high CVSS severity due to potential impact

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (13)

13 with fix

ProductAffected VersionsFix Status

Relion 670/650 series:2.1 *1.3.0.8

PWC600:1.0.1.01.0.1.11.0.1.3 and 3 more1.3.0.8

Relion 650 series:1.2 *1.3 *1.0 *1.1 *1.3.0.8

GMS600:1.3.01.3.0.8

GMS600:1.3.1.01.3.0.8

GMS600:1.2.01.3.0.8

Relion 670/650 series:2.2.0 *1.3.0.8

Relion 670/650 series:2.2.4 *1.3.0.8

Remediation & Mitigation

0/11

Do now

0/2

WORKAROUNDRestrict access to device management interfaces and configuration ports via firewall rules; expose only necessary ports to the substation network

HARDENINGRestrict ODBC (Open Database Connectivity) access to device configuration within the substation only; block access from external networks

Schedule — requires maintenance window

0/8

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Relion 670 series Version 2.2.3 to Version 2.2.3.5 or later

HOTFIXUpdate Relion 670/650/SAM600-IO series Version 2.2.5 to Version 2.2.5.2 or later

HOTFIXUpdate Relion 650 series Version 1.3 to Version 1.3.0.8 or later

HOTFIXUpdate Relion 650 series Version 1.2 to Version 1.3.0.8 or later

HOTFIXUpdate Relion 670 series Version 2.1 to Version 2.1.0.5 or later

HOTFIXUpdate PWC600 to Version 1.3.0.8 or later

HOTFIXUpdate GMS600 to Version 1.3.0.8 or later

HARDENINGLimit network connectivity for portable computers and removable media before connecting to control systems; scan for malware

Long-term hardening

0/1

HARDENINGDo not connect affected devices directly to the Internet; isolate them on a separate network segment behind a firewall

CVEs (1)

CVE-2021-35534

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/53fbd6ce-483f-409b-825b-248e89f6b6e0

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.