Hitachi Energy MicroSCADA Pro X SYS600

Plan Patch8.5ICS-CERT ICSA-22-272-01Sep 29, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

This vulnerability affects Hitachi Energy MicroSCADA Pro X SYS600 due to improper input validation and insufficient access controls (CWE-20, CWE-269, CWE-284, CWE-241). An attacker with low-privilege user credentials can exploit the ICCP feature to execute arbitrary scripts, causing the SYS600 application to fail to start or enter a denial-of-service condition. Successful exploitation requires network access and low-level credentials, but the attack complexity is low. Systems running SYS600 version 9.4 FP2 Hotfix 4 and earlier, or version 10.3.1 and earlier are affected. Version 10.4 and later include the fix.

What this means

What could happen

An attacker with low-level credentials could execute arbitrary scripts on the SYS600 system, potentially stopping the application, causing denial of service, or altering process logic. This could disrupt energy distribution operations.

Who's at risk

Energy utilities operating Hitachi Energy MicroSCADA Pro X SYS600 supervisory control and data acquisition (SCADA) systems, particularly those running versions 9.4 FP2 Hotfix 4 and earlier, or 10.3.1 and earlier. Any SYS600 system with ICCP enabled is at risk.

How it could be exploited

An attacker on the network with local/low-privilege user credentials can send a specially crafted request to the SYS600 system to trigger improper input validation, enabling script execution. The attack is remotely exploitable over the network and requires low complexity to execute.

Prerequisites

Network access to the SYS600 system
Low-privilege user credentials (local or remote login)
ICCP feature enabled (default or explicitly configured)

remotely exploitablerequires low-level credentialslow attack complexityaffects energy distribution control systemsno patch available for older versions

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (2)

2 pending

ProductAffected VersionsFix Status

SYS600: 10.3.1 and earlier≤ 10.3.1No fix yet

SYS600: 9.4 FP2 Hotfix 4 and earlier versions≤ 9.4 FP2 Hotfix 4No fix yet

Remediation & Mitigation

0/7

Do now

0/1

WORKAROUNDDisable ICCP feature if not operationally required

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade SYS600 9.x systems to version 10.4 or later

HOTFIXUpgrade SYS600 10.x systems to version 10.4 or later

HARDENINGReview and apply Hitachi Energy 1MRK511518 MicroSCADA X Cyber Security Deployment Guideline

Long-term hardening

0/3

HARDENINGSegment SYS600 systems behind a firewall with minimal open ports; do not expose to the internet

HARDENINGIsolate SYS600 process control network from business network

HARDENINGImplement network access controls to restrict login attempts to SYS600 from trusted sources only

CVEs (5)

CVE-2022-1778 CVE-2022-2277 CVE-2022-29490 CVE-2022-29492 CVE-2022-29922

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fd1d7eba-14a7-4731-af01-a05c0941d888