Hitachi Energy IEC 61850 MMS-Server (Update B)

MonitorCVSS 5.9ICS-CERT ICSA-23-089-01Feb 14, 2023

Hitachi EnergyEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Hitachi Energy has identified a vulnerability in the IEC 61850 MMS-server communication stack used in Relion 670, 650, and SAM600-IO products. An attacker with network access to port 102 can send a malformed MMS request that crashes the server, preventing new client connections and stopping the device from accepting MMS commands. The device must be manually rebooted to restore communication. During reboot, the relay's primary protection and control functions are unavailable. Hitachi Energy has released firmware updates for most affected versions, but SAM600-IO versions 2.2.1.0–2.2.1.8 have no fix planned.

What this means

What could happen

An attacker can crash the IEC 61850 MMS-server on Hitachi Energy relays, forcing a manual reboot to restore communication with protection and control devices. During reboot, the device cannot accept new client connections and primary protection functionality is unavailable.

Who's at risk

Protection and control relay operators at electric utilities and transmission operators who rely on Hitachi Energy Relion 670/650 series relays and SAM600-IO I/O modules for substation automation. These devices are critical to grid protection and restoration logic. Impact is most severe in systems where these relays handle primary protection functions or are part of critical emergency response chains.

How it could be exploited

An attacker with network access to port 102 (IEC 61850 MMS) sends a malformed or specially crafted MMS connection request. The vulnerable server fails to properly handle the request and stops accepting new connections, effectively denying access to the relay until it is manually rebooted.

Prerequisites

Network access to port 102 (IEC 61850 MMS-server)
No authentication required
Device must be running an affected firmware version

remotely exploitableno authentication requiredlow complexityaffects safety systems (grid protection relays)no patch available for SAM600-IO versions 2.2.1.0–2.2.1.8

Exploitability

Unlikely to be exploited — EPSS score 0.8%

Affected products (4)

3 with fix1 pending

ProductAffected VersionsFix Status

Relion 670 series≥ 1.2|≤ 1.2.3.22≥ 2.0|≤ 2.0.0.13≥ 2.1|≤ 2.1.0.5 and 6 more2.2.5.6 or latest

Relion 650 series1.11.3≥ 2.1|≤ 2.1.0.5 and 4 more2.2.5.6 or latest

SAM600-IO series≥ 2.2.1.0|≤ 2.2.1.8No fix yet

SAM600-IO series≥ 2.2.5.0|≤ 2.2.5.52.2.5.6 or latest

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDFor SAM600-IO versions 2.2.1.0–2.2.1.8: Implement network-level access controls to restrict port 102 (IEC 61850 MMS) to known, trusted devices (engineering workstations and authorized RTUs/relays). No vendor patch is available for this series.

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

Relion 670 series

HOTFIXUpdate Relion 670 series to firmware version 2.2.5.6 or latest

Relion 650 series

HOTFIXUpdate Relion 650 series to firmware version 2.2.5.6 or latest

SAM600-IO series

HOTFIXUpdate SAM600-IO series versions 2.2.5.0–2.2.5.5 to version 2.2.5.6 or latest

Long-term hardening

0/1

HARDENINGSegment IEC 61850 MMS communication to a dedicated VLAN and firewall rules to limit MMS-server access to essential grid automation devices only

CVEs (1)

CVE-2022-3353

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3a90ce19-a9bf-4960-ba1f-0798e24cd2a0

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.