Hitachi Energy MACH SCM (Update A)
Plan Patch7.7ICS-CERT ICSA-24-116-02Apr 25, 2024
Summary
Hitachi Energy MACH SCM contains code injection vulnerabilities (CWE-94, CWE-95) that allow execution of arbitrary code. Affected versions are MACH SCM 4.0–4.38.3 and MACH SCM Tools 1.8 and earlier. The vulnerabilities have high attack complexity. MACH SCM versions 4.6–4.38.x can be patched to version 4.38.4; MACH SCM Tools can be updated to version 1.9. MACH SCM versions 4.0–4.5.x have no patch available and require network isolation and access control mitigations.
What this means
What could happen
An attacker with valid credentials and network access to MACH SCM could run arbitrary code on the system, potentially allowing them to modify energy generation or distribution settings, disable safety controls, or disrupt grid operations.
Who's at risk
Energy utilities and grid operators running Hitachi Energy MACH SCM for supervisory control or energy management are affected. This includes both on-premise and hosted MACH SCM deployments used for generation, transmission, or distribution control. MACH SCM Tools users (engineers and power systems planners) using version 1.8 or earlier are also at risk.
How it could be exploited
An attacker with valid engineering or administrative credentials must gain network access to the MACH SCM server. The attacker would then exploit code injection vulnerabilities (CWE-94, CWE-95) to execute arbitrary commands on the system. The high attack complexity suggests this requires specific conditions or knowledge of the system configuration.
Prerequisites
- Valid credentials for MACH SCM (engineering or administrative account)
- Network access to MACH SCM server port (502 or web interface)
- Knowledge of or ability to identify specific application entry points vulnerable to code injection
Requires valid credentialsHigh attack complexityNo publicly known active exploitationNo fix available for MACH SCM 4.0–4.5.x versionsAffects energy sector infrastructure
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (3)
1 with fix2 pending
ProductAffected VersionsFix Status
MACH SCM≥ 4.0, ≤ 4.5No fix yet
MACH SCM≥ 4.6, ≤ 4.38.3No fix yet
MACH SCM Tools≤ 1.81.9
Remediation & Mitigation
0/8
Do now
0/3MACH SCM
HARDENINGFor MACH SCM versions 4.0–4.5.x (no patch available), implement network segmentation: isolate MACH SCM on a separate control network with firewall rules allowing only necessary connections from engineering workstations and SCADA systems
HARDENINGDisable direct internet connections to any MACH SCM server; route all engineering access through a bastion host or jump server with multi-factor authentication
WORKAROUNDRestrict MACH SCM access to authorized engineering workstations only using firewall rules; implement IP whitelisting if possible
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
MACH SCM
HOTFIXUpgrade MACH SCM versions 4.6–4.38.x to version 4.38.4
HOTFIXUpgrade MACH SCM Tools version 1.8 or earlier to version 1.9
HARDENINGDisable unnecessary features or ports on MACH SCM systems and document the minimal set required for operations
HARDENINGEnforce strong password policy for all MACH SCM accounts and review active user accounts to remove unnecessary credentials
Long-term hardening
0/1MACH SCM
HARDENINGScan all removable media and portable computers before connecting to MACH SCM systems; prohibit internet use on engineering workstations connected to MACH SCM
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/2f72ad5c-03dc-4559-a8df-ed056ef370f8