Hitachi Energy IED Connectivity Packages and PCM600 Products (Update A)

Plan Patch7.1ICS-CERT ICSA-22-333-02Nov 29, 2022

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Successful exploitation could allow an attacker to obtain sensitive credentials and gain access to affected products, perform unauthorized modifications, or provoke denial-of-service conditions. The vulnerability affects PCM600 and multiple Connectivity Packages (670, 650, SAM600-IO, GMS600, PWC600) used in Hitachi Energy IED (Intelligent Electronic Device) configuration and management. Credentials and sensitive data may be stored insecurely in backup files and configuration files (PCMI, PCMP, PCMA, PCMT).

What this means

What could happen

An attacker with local access to a PCM600 system or IED connectivity package could extract stored credentials, take control of protective relays and IEDs, or disrupt power grid operations including protection and control functions.

Who's at risk

Power generation and transmission utilities that use Hitachi Energy intelligent electronic devices (IEDs) protected by or configured using PCM600 or the 670, 650, SAM600-IO, GMS600, and PWC600 connectivity packages. This includes relays, merging units, and other protection and control devices in substations and power plants.

How it could be exploited

An attacker with local file system access to a machine running PCM600 or the connectivity packages can access backup files or configuration files that store credentials in plaintext or weakly protected form, extracting credentials to gain unauthorized access to IEDs and other connected equipment.

Prerequisites

Local access to the machine running PCM600 or connectivity package software
Access to backup files (PCMI, PCMP, PCMA, PCMT) or configuration directories
No special privileges required to read stored credential files

No authentication required for local file accessLow complexity exploitationAffects critical infrastructure (power grid protection)No patch available for multiple connectivity packagesCredentials stored insecurely in backup files

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (6)

1 with fix5 pending

ProductAffected VersionsFix Status

670 Connectivity Package: >=3.0|<3.4.1≥ 3.0|<3.4.1No fix yet

650 Connectivity Package: >=1.3|<2.4.1≥ 1.3|<2.4.1No fix yet

SAM600-IO Connectivity Package: >=1.0|<1.2≥ 1.0|<1.2No fix yet

GMS600 Connectivity Package: >=1.3|<1.3.1≥ 1.3|<1.3.1No fix yet

PWC600 Connectivity Package: >=1.1|<1.3≥ 1.1|<1.3No fix yet

PCM600: <=v2.11_including_hotfixes≤ v2.11 including hotfixesv2.11 Hotfix 20240426

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict file system and network access to PCM600 systems and backup files using Windows access controls and firewall rules

HARDENINGApply least privilege principle to PCM600 user accounts and file permissions for PCMI, PCMP, PCMA, PCMT files

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXApply PCM600 v2.11 Hotfix 20240426 or later

HOTFIXReimport and export backup files after applying the hotfix to remove embedded credentials

Long-term hardening

0/1

HARDENINGStore and protect backup files in secure locations with access controls

CVEs (1)

CVE-2022-2513

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/39477182-4a7a-469f-b061-3fea3e5807be