Siemens Energy PLUSCONTROL

Plan PatchCVSS 8.2ICS-CERT ICSA-22-013-03Jan 11, 2022

SiemensEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in the Nucleus RTOS (NUCLEUS:13) affect Siemens PLUSCONTROL 1st Gen devices. These include CWE-843 (type confusion), CWE-1284 (improper validation), CWE-805 (buffer access with incorrect length value), CWE-191 (integer underflow), and CWE-240 (improper handling of unexpected input). The vulnerabilities can be triggered remotely over the network without credentials, potentially causing denial of service or code execution on affected PLUSCONTROL units. No security updates are available for PLUSCONTROL 1st Gen products.

What this means

What could happen

Multiple memory and buffer handling vulnerabilities in the Nucleus RTOS could allow an attacker with network access to crash PLUSCONTROL devices or execute arbitrary code, disrupting power grid protection functions and potentially causing loss of generation, transmission, or distribution control.

Who's at risk

Energy sector operators worldwide running Siemens PLUSCONTROL 1st Gen devices for power grid protection, control, and coordination functions—including transmission system operators (TSOs), distribution system operators (DSOs), generation facilities, and substations. Any organization using this equipment for critical power system automation is affected.

How it could be exploited

An attacker with network access to a PLUSCONTROL 1st Gen device could send specially crafted network packets that trigger memory corruption, integer underflow, or buffer overflow conditions in the embedded Nucleus RTOS. This could lead to denial of service (device crash/reboot) or remote code execution if the memory layout is predictable enough for payload injection.

Prerequisites

Network reachability to the PLUSCONTROL 1st Gen device
No authentication required to trigger the vulnerable code path
Device running affected Nucleus RTOS version (all versions of 1st Gen)

remotely exploitableno authentication requiredlow complexityno patch availableaffects safety systems (power grid protection)high CVSS score (8.2)

Exploitability

Some exploitation risk — EPSS score 2.5%

Affected products (1)

ProductAffected VersionsFix Status

PLUSCONTROL 1st GenAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDImplement firewall rules and network segmentation to restrict inbound network access to PLUSCONTROL 1st Gen devices to only authorized control centers and engineering workstations

HARDENINGDeploy VPN or other authenticated network overlay for any remote access to affected devices

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGVerify that multi-level redundant secondary protection schemes are in place and functional, so that loss of a single PLUSCONTROL unit does not disable grid protection

HARDENINGMonitor device logs and restart behavior for signs of repeated crashes or unexpected reboots, which may indicate exploitation attempts

Long-term hardening

0/1

HOTFIXPlan migration from PLUSCONTROL 1st Gen to a newer generation product that receives security updates

CVEs (6)

CVE-2021-31344 CVE-2021-31345 CVE-2021-31346 CVE-2021-31885 CVE-2021-31889 CVE-2021-31890

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/08e278f9-4cf3-4413-bb23-b3bdaf3b4cd4

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.