Siemens SICAM A8000

Act Now9.9ICS-CERT ICSA-22-013-02Jan 11, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Siemens SICAM A8000 substation automation devices contain two vulnerabilities. The first allows a privileged user to enable a debug port that uses default hard-coded credentials (CWE-798: hardcoded credentials). The second allows unauthenticated users to access previously created log files on the device without authentication (CWE-284: improper access control). These issues affect CP-8000, CP-8021, and CP-8022 master modules running firmware versions prior to 16.20. An attacker exploiting these vulnerabilities could gain unauthorized access to the device, retrieve sensitive operational data, or establish persistent access to the substation automation system.

What this means

What could happen

A privileged user could enable a debug port with default credentials, and an unauthenticated attacker could access previously created log files on SICAM A8000 devices. This could allow an attacker to gain persistent access or extract sensitive operational and configuration data from your substation automation system.

Who's at risk

Water and electric utilities operating Siemens SICAM A8000 substation automation systems should assess this issue. The affected modules are CP-8000, CP-8021, and CP-8022 series master modules used for real-time control and monitoring of substations.

How it could be exploited

An attacker with network access to a SICAM A8000 device could exploit the first vulnerability if they have valid engineering credentials to enable a debug port with hard-coded credentials. Alternatively, an unauthenticated attacker could directly access log files on the device without any credentials, potentially extracting configuration, event history, or other sensitive data that reveals system topology or settings.

Prerequisites

Network access to the SICAM A8000 device on its management port
Valid engineering workstation credentials for the first vulnerability
No credentials required for the second vulnerability (unauthenticated log file access)

remotely exploitablelow complexitydefault credentials involvedunauthenticated access possible to log filesaffects critical substation automation infrastructure

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

CP-8000 MASTER MODULE WITH I/O -25/+70°C<V16.2016.20

CP-8000 MASTER MODULE WITH I/O -40/+70°C<V16.2016.20

CP-8021 MASTER MODULE (6MF2802-1AA00)<V16.2016.20

CP-8022 MASTER MODULE WITH GPRS (6MF2802-2AA00)<V16.2016.20

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to SICAM A8000 management ports using firewall rules; allow only authorized engineering workstations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SICAM A8000 devices to firmware version 16.20 or later

Long-term hardening

0/2

HARDENINGSegment the substation automation network (SICAM A8000) from the business network with a firewall

HARDENINGIf remote access is required, use a VPN tunnel to engineering workstations and keep VPN software updated

CVEs (2)

CVE-2021-45034 CVE-2021-45033

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/837b69aa-53f6-4bda-aa39-88d4cb58646e