Siemens SICAM A8000 Web Server Module
Monitor4.3ICS-CERT ICSA-22-223-05Aug 9, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
A vulnerability in the web server module of Siemens SICAM A8000 CP-8000, CP-8021, and CP-8022 master modules allows unauthenticated access to the web interface. The affected module is used in protocol firmwares including DNP3 (TCP/IP and serial), IEC 61850, Modbus (TCP/IP and serial), and OPC-UA for diagnostics and commissioning purposes. The web server module is disabled by default and must be manually activated, but once enabled it has no authentication controls. An attacker who can reach the device can access diagnostic data and configuration information without logging in. Siemens has stated no firmware updates will be released for these end-of-life products and recommends network protection measures instead.
What this means
What could happen
An attacker who gains access to the web interface of a SICAM A8000 master module can read sensitive diagnostic and commissioning data without authentication. This could expose circuit breaker settings, protection scheme configurations, or network architecture details that attackers could use to plan follow-up attacks on the power system.
Who's at risk
Power system operators managing SICAM A8000 master modules (CP-8000, CP-8021, CP-8022 variants) used in transmission or distribution protection and control systems. This includes TSOs (transmission system operators), DSOs (distribution system operators), and utilities that rely on these devices for circuit protection coordination, DNP3, Modbus, IEC 61850, or OPC-UA gateway functions.
How it could be exploited
An attacker on the network where a SICAM A8000 module is deployed can connect directly to the web server port and browse the interface without logging in, since the web server module has no authentication controls. If the web server module has been manually activated for diagnostics or commissioning, the attacker gains immediate read access to the device's configuration and operational data.
Prerequisites
- Network connectivity to the affected SICAM A8000 device's web server port
- Web server module manually activated within the protocol firmware (not enabled by default)
- No firewall or network segmentation blocking access to the device
Remotely exploitableNo authentication requiredLow complexity attackNo fix availableAffects power system critical infrastructureWeb server must be manually enabled (reduces exposure but does not eliminate risk)
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (4)
4 EOL
ProductAffected VersionsFix Status
CP-8000 MASTER MODULE WITH I/O -25/+70°CAll versionsNo fix (EOL)
CP-8000 MASTER MODULE WITH I/O -40/+70°CAll versionsNo fix (EOL)
CP-8021 MASTER MODULEAll versionsNo fix (EOL)
CP-8022 MASTER MODULE WITH GPRSAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2HARDENINGImplement firewall rules or network segmentation to restrict access to SICAM A8000 web server ports to authorized engineering and diagnostic workstations only
WORKAROUNDDisable the web server module in protocol firmwares unless actively performing diagnostics or commissioning; re-enable only when needed and disable immediately after use
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
WORKAROUNDIf web server module must remain enabled, deploy a reverse proxy or VPN gateway with strong authentication in front of the web interface
HARDENINGDocument and audit which SICAM A8000 devices have the web server module active, and verify no unauthorized activation has occurred
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: CP-8000 MASTER MODULE WITH I/O -25/+70°C, CP-8000 MASTER MODULE WITH I/O -40/+70°C, CP-8021 MASTER MODULE, CP-8022 MASTER MODULE WITH GPRS. Apply the following compensating controls:
HARDENINGReview and implement multi-level redundant secondary protection schemes to reduce grid impact from cyber incidents, per regulatory requirements
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/2fea483d-475f-4e70-b403-b633080f4d0e