Schweitzer Engineering Laboratories SEL 700 series relays

MonitorCVSS 6.5ICS-CERT ICSA-24-095-02Apr 4, 2024

Schweitzer Engineering

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

CWE-1242 vulnerability in Schweitzer Engineering Laboratories SEL-700 series protection relays allows an attacker with high-level administrative credentials to modify relay settings or trigger denial-of-service conditions. Affected products include SEL-700BT Motor Bus Transfer Relay, SEL-700G Generator Protection Relay, SEL-710-5 Motor Protection Relay, SEL-751 Feeder Protection Relay, SEL-787-2/-3/-4 Transformer Protection Relay, and SEL-787Z High-Impedance Differential Relay across multiple firmware versions. Successful exploitation could allow modifications to relay logic or cause operational failures in generator, motor, feeder, or transformer protection functions.

What this means

What could happen

An attacker with high-level access to your relay could modify protection settings or trigger a denial-of-service condition, potentially disrupting generator output, motor bus transfers, feeder protection, or transformer protection in your substation or generation facility.

Who's at risk

Electric utilities and generation facilities operating SEL-700 series protection relays (motor bus transfer, generator, motor, feeder, and transformer protection relays). Any organization using these relays for critical protection functions in substations or generation plants should assess exposure.

How it could be exploited

An attacker with administrative-level credentials or access to the relay's configuration interface could exploit this vulnerability to alter relay settings or stop the relay from functioning, affecting the protection scheme for the equipment it guards.

Prerequisites

High-privilege administrative credentials to the relay
Network access to the relay's management interface or configuration port
Knowledge of the relay's configuration protocol

No patch available for some device versionsRequires high-level credentials to exploitCan cause denial of service affecting protection schemesAffects safety and protection systems

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (9)

9 with fix

ProductAffected VersionsFix Status

SEL-700BT Motor Bus Transfer Relay: >=R301-V0|<R301-V6≥ R301-V0|<R301-V6R301-V6 or R302-V1

SEL-700G Generator Protection Relay: >=R100-V0|<R301-V6≥ R100-V0|<R301-V6R301-V6 or R302-V1

SEL-700G Generator Protection Relay: >=R302-V0|<R302-V1≥ R302-V0|<R302-V1R301-V6 or R302-V1

SEL-710-5 Motor Protection Relay: >=R100-V0|<R302-V1≥ R100-V0|<R302-V1R302-V1

SEL-751 Feeder Protection Relay: >=R101-V0|<R302-V3≥ R101-V0|<R302-V3R302-V3 or R400-V2

SEL-787-2/-3/-4 Transformer Protection Relay: >=R100-V0|<R302-V1≥ R100-V0|<R302-V1R302-V1

SEL-787Z High-Impedance Differential Relay: >=R302-V0|<R302-V3≥ R302-V0|<R302-V3R302-V3

SEL-700BT Motor Bus Transfer Relay: >=R302-V0|<R302-V1≥ R302-V0|<R302-V1R301-V6 or R302-V1

Remediation & Mitigation

0/9

Do now

0/1

WORKAROUNDRestrict network access to relay configuration interfaces using firewall rules; do not allow direct internet access to relay management ports

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SEL-700BT Motor Bus Transfer Relay to R301-V6 or R302-V1

HOTFIXUpdate SEL-700G Generator Protection Relay to R301-V6 or R302-V1

HOTFIXUpdate SEL-710-5 Motor Protection Relay to R302-V1

HOTFIXUpdate SEL-751 Feeder Protection Relay to R302-V3 or R400-V2

HOTFIXUpdate SEL-787-2/-3/-4 Transformer Protection Relay to R302-V1

HOTFIXUpdate SEL-787Z High-Impedance Differential Relay to R302-V3

Long-term hardening

0/2

HARDENINGIsolate relay management networks from business networks and general plant IT infrastructure using network segmentation or air gaps

HARDENINGRequire multi-factor authentication or stronger access controls for relay configuration access

CVEs (1)

CVE-2024-2103

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8a676022-d757-4a43-82f0-7b396b17d452

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.