OTPulse
FeedAboutContact

Siemens SIPROTEC 5 Devices

Monitor5.3ICS-CERT ICSA-22-349-11Dec 13, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

SIPROTEC 5 protection relays contain a vulnerability in TLS secure client-initiated renegotiation handling (CWE-400). An unauthenticated attacker with network access to the device's secure communication port (443/TCP or 4443/TCP) can trigger inefficient renegotiation processing, causing the device to become unresponsive and unable to execute protection commands (trip signals, relay logic) for the duration of the attack. This is a denial-of-service condition affecting the secondary protection layer. The vulnerability is caused by improper handling of TLS renegotiation requests, allowing resource exhaustion. Siemens has released firmware updates for most CP300 and CP150 variants, but CP200 module devices in several product lines have no fix available and must rely on network access controls.

What this means
What could happen
An attacker can send malicious TLS renegotiation requests to protection relays, causing them to become unresponsive and unable to process legitimate protection commands, potentially allowing faults to go undetected for the duration of the attack. This affects grid reliability and secondary protection layer availability.
Who's at risk
Utilities operating Siemens SIPROTEC 5 protection and control relays, which are used in substations and distribution systems for overcurrent protection, differential protection, distance protection, and monitoring. Affected models include 6MD84, 6MD85, 6MD86, 6MD89, 6MU85, 7KE85, 7SA82/84/86/87, 7SJ81/82/85/86, 7SK82/85, 7SL82/86/87, 7SD82/84/86/87, 7SS85, 7ST85/86, 7SX82/85, 7SX800, 7UT82/85/86/87, 7UM85, 7VE85, 7VK87, 7VU85, and associated communication modules (ETH-BA-2EL, ETH-BB-2FO, ETH-BD-2FO). Most critical are facilities relying on single protection schemes without redundancy.
How it could be exploited
An attacker with network access to port 443/TCP or 4443/TCP on a SIPROTEC 5 device can send a client-initiated TLS renegotiation request without credentials. The device processes the request inefficiently, consuming resources and becoming unresponsive to legitimate protective relay commands (trip signals, telemetry queries) for the duration of the attack.
Prerequisites
  • Network access to port 443/TCP or 4443/TCP
  • No authentication required
  • Device must be reachable on the network (not air-gapped)
Remotely exploitableNo authentication requiredLow attack complexityAffects safety-critical protection systemsNo fix available for CP200 module variants
Exploitability
Low exploit probability (EPSS 0.6%)
Affected products (69)
47 with fix22 pending
ProductAffected VersionsFix Status
SIPROTEC 5 6MD84 (CP300)< 9.509.50
SIPROTEC 5 6MD85 (CP200)All versionsNo fix yet
SIPROTEC 5 6MD85 (CP300)< 9.509.50
SIPROTEC 5 6MD86 (CP200)All versionsNo fix yet
SIPROTEC 5 6MD86 (CP300)< 9.509.50
Remediation & Mitigation
0/5
Do now
0/1
SIPROTEC 5 6MD85 (CP200)
WORKAROUNDFor devices with CP200 modules where no fix is available, restrict network access to ports 443/TCP and 4443/TCP to only trusted engineering workstations and control network IP addresses
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

SIPROTEC 5 6MD84 (CP300)
HOTFIXUpdate SIPROTEC 5 devices with CP300 modules to firmware version 9.50 or later (or 9.64 for models 6MD89, 7KE85, 7ST85, 7ST86); update CP150 models to 9.50; update CP100 models to 8.89 or 8.90 as specified per product
Long-term hardening
0/3
HARDENINGSegment SIPROTEC 5 devices behind a firewall and isolate them from business networks; do not expose devices directly to the Internet
HARDENINGVerify that redundant secondary protection schemes are in place and operational to provide resilience if one protection relay becomes unresponsive
HARDENINGIf remote access is required, use a VPN with current patches rather than direct Internet connectivity
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/16ccc276-7374-4a9e-aa9e-5ad47fcec0ed