Hitachi Energy Lumada APM

MonitorCVSS 5.7ICS-CERT ICSA-23-012-07Jan 12, 2023

Hitachi EnergyEnergy

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Hitachi Energy Lumada APM versions 6.0.0.0 through 6.4.220601.0 (SaaS) and 6.0.0.0 through 6.4.0 (On Premises) contain an insufficient access control vulnerability affecting the Power BI integration feature. Users assigned the \"Limited Engineer\" role can access Power BI reports they should not have permission to view and can modify asset issue comments. This vulnerability is remediated in Lumada APM v6.4.0.1 and later for SaaS, and v6.5.0.0 and later for On Premises. Note: the On Premises edition does not natively support Power BI integration, but users can connect external subscription-based Power BI services.

What this means

What could happen

An attacker with "Limited Engineer" credentials could access unauthorized Power BI reports or modify asset issue comments, leading to potential exposure of sensitive operational data or corruption of asset records that operators depend on.

Who's at risk

Energy utilities using Hitachi Energy's Lumada APM (Asset Performance Management) for monitoring and managing critical infrastructure. This affects both cloud-based SaaS deployments and on-premises installations that have enabled Power BI reporting integration. Any organization with users assigned the \"Limited Engineer\" role is at risk.

How it could be exploited

An attacker with "Limited Engineer" role credentials connects to the Lumada APM system (either SaaS or On Premises with Power BI integration enabled). The attacker can then access Power BI reports they should not have permission to view, or modify comments on asset issues in the system. The attack requires valid credentials and user interaction or existing access to the application interface.

Prerequisites

Valid "Limited Engineer" role credentials or ability to assign/obtain this role
Lumada APM v6.0.0.0 through v6.4.220601.0 (SaaS) or v6.4.0 (On Premises) running
For SaaS or On Premises with Power BI integration: Power BI integration feature must be enabled
Network access to the Lumada APM application interface

Low exploitation complexityRequires valid credentialsAffects asset data visibility and integrityMay expose operational metrics or reports

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Lumada APM: Lumada APM - SaaS:≥ 6.0.0.0 | ≤ 6.4.220601.0v6.4.0.1

Lumada APM: Lumada APM - On Premises:≥ 6.0.0.0.0 | ≤ 6.4.0v6.5.0.0

Remediation & Mitigation

0/7

Do now

0/3

WORKAROUNDDisable the Power BI integration feature if any users have the "Limited Engineer" role assigned

WORKAROUNDRemove all users with the "Limited Engineer" role from the system

WORKAROUNDAssign "Limited Engineer" users to a different role before enabling Power BI integration

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Lumada APM to v6.4.0.1 or later (SaaS) or v6.5.0.0 or later (On Premises)

Long-term hardening

0/3

HARDENINGImplement network segmentation to isolate Lumada APM from direct internet access using firewalls with minimal exposed ports

HARDENINGPhysically restrict access to Lumada APM servers and workstations

HARDENINGRestrict Lumada APM workstations from internet browsing, email, and instant messaging

CVEs (1)

CVE-2022-2155

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1fa60ac5-dccb-4752-967f-c7a80e41d64d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.