OTPulse
FeedAboutContact

Hitachi Energy PROMOD IV

Act Now9ICS-CERT ICSA-22-263-01Sep 20, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

A file deletion vulnerability exists in PROMOD IV versions 11.2, 11.3, and 11.4. Successful exploitation could allow an attacker to delete arbitrary files once the system is compromised. The Actbar2.ocx component, which is no longer used by PROMOD IV, is involved in the vulnerability. A patch is in development for version 11.5.

What this means
What could happen
An attacker with access to a PROMOD IV system could delete critical files, potentially corrupting configuration data, logs, or system files needed for safe operation of the energy management or control functions PROMOD IV manages. This could lead to loss of visibility into power system state or inability to perform critical control operations.
Who's at risk
Energy utilities, power generation facilities, and industrial sites relying on Hitachi Energy PROMOD IV for energy management, power system control, or SCADA functions. This affects engineering workstations and control system servers running PROMOD IV versions 11.2 through 11.4.
How it could be exploited
An attacker must first gain local or network access to a PROMOD IV system (this vulnerability is not remotely exploitable on its own). Once on the system, the attacker can exploit this file deletion flaw to remove arbitrary files. The Actbar2.ocx component is the attack vector, though it is no longer active in current versions.
Prerequisites
  • Local or network access to PROMOD IV system (not remotely exploitable)
  • PROMOD IV version 11.2, 11.3, or 11.4 installed
  • Ability to interact with Actbar2.ocx component if still present on the system
No patch currently availableHigh EPSS score (13.7%)Affects critical energy infrastructureArbitrary file deletion capability can corrupt system integrity
Exploitability
High exploit probability (EPSS 13.7%)
Affected products (1)
ProductAffected VersionsFix Status
PROMOD IV:11.2 | 11.3 | 11.411.5
Remediation & Mitigation
0/8
Do now
0/3
HARDENINGRemove Actbar2.ocx from systems where it is no longer needed, as it is no longer used by PROMOD IV
HARDENINGDo not use PROMOD IV systems for internet browsing, instant messaging, or email
HARDENINGScan portable computers and removable storage media for malware before connecting to PROMOD IV systems
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGApply operating system hardening guidelines from The Center for Internet Security (CIS) to systems hosting PROMOD IV
HOTFIXPlan upgrade to PROMOD IV version 11.5 or later once released by Hitachi Energy to obtain the file deletion vulnerability patch
Long-term hardening
0/3
HARDENINGDeploy PROMOD IV inside a demilitarized zone (DMZ) network, isolated from both direct internet access and internal corporate networks
HARDENINGImplement firewall rules to restrict access to PROMOD IV systems from outside the network, opening only the minimum necessary ports
HARDENINGPhysically protect PROMOD IV systems and workstations from unauthorized direct access
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/10f44e7b-132f-4be3-bc9b-121c0778467f
Hitachi Energy PROMOD IV | CVSS 9 - OTPulse