Siemens SICAM Q200 Devices

Act Now9.9ICS-CERT ICSA-23-166-03Jun 13, 2023

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities exist in the POWER METER SICAM Q200 webserver: Cross Site Request Forgery (CSRF), session fixation, missing secure flags in HTTP cookies, and missing input validation allowing memory corruption and potential remote code execution. These enable an authenticated attacker to perform unauthorized meter operations, hijack sessions, or execute arbitrary code on the device.

What this means

What could happen

An attacker with login credentials could exploit CSRF or session fixation vulnerabilities to perform unauthorized actions on the meter (such as resetting data or altering readings), or leverage input validation flaws to execute code and potentially disrupt meter operation or data integrity in the power distribution network.

Who's at risk

Power utility operators managing POWER METER SICAM Q200 devices in distribution networks (DSOs) or transmission systems (TSOs). This affects any organization using Q200 meters for revenue metering, grid monitoring, or operational control in electrical substations or distribution points.

How it could be exploited

An attacker must first obtain valid credentials for the Q200 web interface. They can then trick a logged-in operator into clicking a malicious link (CSRF attack), exploit a session fixation flaw to hijack an authenticated session, or submit specially crafted input to the webserver to trigger memory corruption and remote code execution.

Prerequisites

Valid Q200 webserver credentials (engineering or operator account)
Network access to the Q200 HTTPS web interface (port 443/tcp)
For CSRF attacks: victim must be logged into the Q200 web interface when clicking the malicious link

remotely exploitablerequires valid credentialslow attack complexityno publicly known exploits yetaffects billing and operational data integrityaffects power grid reliability

Exploitability

Moderate exploit probability (EPSS 1.8%)

Affected products (1)

ProductAffected VersionsFix Status

POWER METER SICAM Q200 family<V2.702.70

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to Q200 port 443/tcp to only trusted IP addresses (engineering workstations, control center)

HARDENINGInstruct operators to avoid clicking links from untrusted sources while logged into Q200 devices

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate POWER METER SICAM Q200 firmware to version 2.70 or later

Long-term hardening

0/1

HARDENINGDeploy network segmentation to isolate Q200 meters from general corporate IT and untrusted networks

CVEs (6)

CVE-2023-30901 CVE-2023-31238 CVE-2022-43398 CVE-2022-43439 CVE-2022-43545 CVE-2022-43546

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/65e36bde-81f0-4b63-b587-6127e88aeb9b