Schweitzer Engineering Laboratories SEL 700 series relays
Monitor6.5ICS-CERT ICSA-24-095-02Apr 4, 2024
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary
CWE-1242 vulnerability in Schweitzer Engineering Laboratories SEL-700 series protection relays allows an attacker with high-level administrative credentials to modify relay settings or trigger denial-of-service conditions. Affected products include SEL-700BT Motor Bus Transfer Relay, SEL-700G Generator Protection Relay, SEL-710-5 Motor Protection Relay, SEL-751 Feeder Protection Relay, SEL-787-2/-3/-4 Transformer Protection Relay, and SEL-787Z High-Impedance Differential Relay across multiple firmware versions. Successful exploitation could allow modifications to relay logic or cause operational failures in generator, motor, feeder, or transformer protection functions.
What this means
What could happen
An attacker with high-level access to your relay could modify protection settings or trigger a denial-of-service condition, potentially disrupting generator output, motor bus transfers, feeder protection, or transformer protection in your substation or generation facility.
Who's at risk
Electric utilities and generation facilities operating SEL-700 series protection relays (motor bus transfer, generator, motor, feeder, and transformer protection relays). Any organization using these relays for critical protection functions in substations or generation plants should assess exposure.
How it could be exploited
An attacker with administrative-level credentials or access to the relay's configuration interface could exploit this vulnerability to alter relay settings or stop the relay from functioning, affecting the protection scheme for the equipment it guards.
Prerequisites
- High-privilege administrative credentials to the relay
- Network access to the relay's management interface or configuration port
- Knowledge of the relay's configuration protocol
No patch available for some device versionsRequires high-level credentials to exploitCan cause denial of service affecting protection schemesAffects safety and protection systems
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (9)
9 with fix
ProductAffected VersionsFix Status
SEL-700BT Motor Bus Transfer Relay: >=R301-V0|<R301-V6≥ R301-V0|<R301-V6R301-V6 or R302-V1
SEL-700G Generator Protection Relay: >=R100-V0|<R301-V6≥ R100-V0|<R301-V6R301-V6 or R302-V1
SEL-700G Generator Protection Relay: >=R302-V0|<R302-V1≥ R302-V0|<R302-V1R301-V6 or R302-V1
SEL-710-5 Motor Protection Relay: >=R100-V0|<R302-V1≥ R100-V0|<R302-V1R302-V1
SEL-751 Feeder Protection Relay: >=R101-V0|<R302-V3≥ R101-V0|<R302-V3R302-V3 or R400-V2
SEL-787-2/-3/-4 Transformer Protection Relay: >=R100-V0|<R302-V1≥ R100-V0|<R302-V1R302-V1
SEL-787Z High-Impedance Differential Relay: >=R302-V0|<R302-V3≥ R302-V0|<R302-V3R302-V3
SEL-700BT Motor Bus Transfer Relay: >=R302-V0|<R302-V1≥ R302-V0|<R302-V1R301-V6 or R302-V1
Remediation & Mitigation
0/9
Do now
0/1WORKAROUNDRestrict network access to relay configuration interfaces using firewall rules; do not allow direct internet access to relay management ports
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
HOTFIXUpdate SEL-700BT Motor Bus Transfer Relay to R301-V6 or R302-V1
HOTFIXUpdate SEL-700G Generator Protection Relay to R301-V6 or R302-V1
HOTFIXUpdate SEL-710-5 Motor Protection Relay to R302-V1
HOTFIXUpdate SEL-751 Feeder Protection Relay to R302-V3 or R400-V2
HOTFIXUpdate SEL-787-2/-3/-4 Transformer Protection Relay to R302-V1
HOTFIXUpdate SEL-787Z High-Impedance Differential Relay to R302-V3
Long-term hardening
0/2HARDENINGIsolate relay management networks from business networks and general plant IT infrastructure using network segmentation or air gaps
HARDENINGRequire multi-factor authentication or stronger access controls for relay configuration access
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8a676022-d757-4a43-82f0-7b396b17d452