Hitachi Energy GMS600, PWC600, and Relion
Plan Patch7.2ICS-CERT ICSA-21-343-01Dec 9, 2021
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary
Improper access control in Hitachi Energy GMS600, PWC600, and Relion relay series allows users with high-level privileges to access unauthorized functions and information on the device. The vulnerability exists in multiple versions of Relion 670/650 series (versions 2.0, 2.1, 2.2.0–2.2.3.4, 2.2.4, 2.2.5–2.2.5.1), PWC600 (versions 1.0.1.0, 1.0.1.1, 1.0.1.3, and others), GMS600 (versions 1.2.0, 1.3.0, 1.3.1.0), and Relion 650 series (versions 1.0, 1.1, 1.2, 1.3). Hitachi Energy has released firmware updates that address this vulnerability. The vulnerability has a CVSS score of 7.2 (high) but is not currently known to be actively exploited.
What this means
What could happen
An attacker with high-level privileges (such as an administrator or engineer) could gain unauthorized access to protection relays and gateway devices in electrical substations, potentially allowing them to modify relay settings, alter protective logic, or trigger false alarms that could disrupt power distribution.
Who's at risk
This affects electric utilities and power distribution operators who use Hitachi Energy protection relays and gateways: Relion 670/650 series IEDs (intelligent electronic devices), PWC600 power system gateways, GMS600 communications gateways, and SAM600-IO modules. Any organization managing electrical substations with these devices should evaluate their installed versions against the list of affected versions.
How it could be exploited
An attacker with administrative credentials or high privileges could bypass permission controls on Hitachi Energy Relion, GMS600, or PWC600 devices to gain unauthorized access to device configuration and operational parameters. The attacker would need to be on the same network segment or reach the device via its management interface.
Prerequisites
- High-level user privileges (administrator or engineer account)
- Network access to the affected device's management interface
- Access to the device locally or via the substation network
High privileges required for exploitationRemotely exploitable if device is network-reachableAffects critical power distribution equipmentCWE-284: Improper Access ControlLow EPSS score but high CVSS severity due to potential impact
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (13)
13 with fix
ProductAffected VersionsFix Status
Relion 670/650 series:2.1 *1.3.0.8
PWC600:1.0.1.0; 1.0.1.1; 1.0.1.3 and 3 more1.3.0.8
Relion 650 series:1.2 *; 1.3 *; 1.0 *; 1.1 *1.3.0.8
GMS600:1.3.01.3.0.8
GMS600:1.3.1.01.3.0.8
GMS600:1.2.01.3.0.8
Relion 670/650 series:2.2.0 *1.3.0.8
Relion 670/650 series:2.2.4 *1.3.0.8
Remediation & Mitigation
0/11
Do now
0/2WORKAROUNDRestrict access to device management interfaces and configuration ports via firewall rules; expose only necessary ports to the substation network
HARDENINGRestrict ODBC (Open Database Connectivity) access to device configuration within the substation only; block access from external networks
Schedule — requires maintenance window
0/8Patching may require device reboot — plan for process interruption
HOTFIXUpdate Relion 670 series Version 2.2.3 to Version 2.2.3.5 or later
HOTFIXUpdate Relion 670/650/SAM600-IO series Version 2.2.5 to Version 2.2.5.2 or later
HOTFIXUpdate Relion 650 series Version 1.3 to Version 1.3.0.8 or later
HOTFIXUpdate Relion 650 series Version 1.2 to Version 1.3.0.8 or later
HOTFIXUpdate Relion 670 series Version 2.1 to Version 2.1.0.5 or later
HOTFIXUpdate PWC600 to Version 1.3.0.8 or later
HOTFIXUpdate GMS600 to Version 1.3.0.8 or later
HARDENINGLimit network connectivity for portable computers and removable media before connecting to control systems; scan for malware
Long-term hardening
0/1HARDENINGDo not connect affected devices directly to the Internet; isolate them on a separate network segment behind a firewall
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/53fbd6ce-483f-409b-825b-248e89f6b6e0