Hitachi Energy Asset Suite 9

Monitor6.9ICS-CERT ICSA-23-269-02Sep 26, 2023

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionRequired

Summary

This vulnerability in Hitachi Energy Asset Suite 9 allows an authenticated user with holder permissions to bypass password verification when executing equipment tag-out actions. The system fails to properly validate the password supplied during tag-out operations, accepting any input as valid. This affects Asset Suite versions 9.6.3.11.1 and earlier, and 9.6.4. The vulnerability is classified as CWE-287 (Improper Authentication). Hitachi Energy has not released a patch as of the advisory date.

What this means

What could happen

An authenticated user with sufficient privileges could bypass the normal password verification for equipment tag-out operations, potentially allowing them to lock out equipment without proper authorization or accountability. This could prevent maintenance work or enable unauthorized operational changes.

Who's at risk

Hitachi Energy Asset Suite 9 is used by electric and energy utilities for equipment management, maintenance tracking, and lockout/tag-out (LOTO) compliance. Organizations running Asset Suite versions 9.6.3.11.1 and 9.6.4 in environments where equipment tag-out procedures are critical to safe maintenance operations should prioritize this.

How it could be exploited

An attacker with valid Asset Suite credentials and holder permissions could enter an arbitrary password when performing tag-out actions on equipment. Instead of verifying the password against a credential store, the system accepts any password, allowing the attacker to bypass the secondary authentication check designed to confirm the action is truly authorized.

Prerequisites

Valid Asset Suite user account with holder permissions
Network access to Asset Suite application
Asset Suite using SSO or standard password authentication configured to allow holder actions
Equipment Tag Out feature enabled with 'C/O HOLDER PSWD' set to 'Y' (default)

authentication bypassrequires valid user credentialsaffects access control to safety-critical maintenance proceduresno patch availableinsider threat capability

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

Asset Suite: <= 9.6.3.11.1≤ 9.6.3.11.1No fix (EOL)

Asset Suite: 9.6.49.6.4No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDDisable the password verification requirement for tag-out actions by setting Equipment Tag Out preference 'C/O HOLDER PSWD' to 'N'

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGRemove authorization for holder actions on behalf of other employees by disabling T214ACT, T214RLS, and T214CLR security events for all users

HARDENINGSwitch Asset Suite authentication method from SSO to a different method (e.g., local authentication with stronger credential validation)

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: Asset Suite: <= 9.6.3.11.1, Asset Suite: 9.6.4. Apply the following compensating controls:

HARDENINGRestrict network access to Asset Suite to authorized engineering workstations and administrative staff only

HARDENINGImplement network segmentation to isolate Asset Suite from business networks and internet

CVEs (1)

CVE-2023-4816

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bafd41ff-f46c-4d51-90de-7068969d57ea