Siemens Spectrum Power Systems

Plan Patch8.8ICS-CERT ICSA-22-167-12Jun 14, 2022

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens Spectrum Power systems (versions 4, 7, and MGMS) that use the Shared HIS (SHHIS) component contain hardcoded default credentials. An attacker with network access to the Shared HIS service can log in as an administrator without changing any configuration. This vulnerability is not remotely exploitable—the attacker must be on the same local network segment. Siemens has not released a patch and recommends users implement network access controls and change default credentials.

What this means

What could happen

An attacker with network access to the Shared HIS component could log in with default administrative credentials, gaining the ability to modify power system parameters, disable alarms, or disrupt monitoring and control of electrical generation, transmission, or distribution operations.

Who's at risk

Electric utilities and power generation facilities using Siemens Spectrum Power systems (versions 4, 7, or MGMS) for supervisory control and monitoring. Any facility relying on these systems for real-time energy management, including control of generators, transmission lines, and distribution equipment.

How it could be exploited

An attacker must be on the same local network segment as the Shared HIS component (not remotely exploitable). Once on the network, they can connect directly to the HIS service and authenticate using hardcoded default credentials to gain administrative access.

Prerequisites

Network access to the Shared HIS component (local network segment only, not routable over the internet)
Knowledge of the default username and password
No authentication bypass or special configuration required—default credentials work if unchanged

no patch availabledefault credentialsaffects safety/control systemsadministrative access

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (3)

3 pending

ProductAffected VersionsFix Status

Spectrum Power 4All versions using Shared HISNo fix yet

Spectrum Power 7All versions using Shared HISNo fix yet

Spectrum Power MGMSAll versions using Shared HISNo fix yet

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDChange all default credentials for Shared HIS administrative accounts immediately

HARDENINGRestrict network access to the Shared HIS component using firewall rules; allow only authorized engineering workstations and HMI servers

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGPlace Spectrum Power systems on a separate, air-gapped network segment isolated from corporate IT and the internet

HARDENINGContact Siemens to obtain detailed account enumeration and secure configuration guidance for your specific Spectrum Power version

HARDENINGEnable logging and monitoring of all administrative access to Shared HIS; alert on failed login attempts

CVEs (1)

CVE-2022-26476

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7e186772-b016-4426-9598-4d12a1067d90