Siemens SIPROTEC

Monitor5.9ICS-CERT ICSA-24-193-14Jul 9, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

The SIPROTEC 5 protection relays and communication modules implement weak encryption algorithms in their web interface (port 443), DIGSI 5 engineering client communications (port 4443), and syslog-over-TLS functionality. An attacker positioned on the network between a client and the device could decrypt and read plaintext data including configuration, operational parameters, and potentially credentials. Siemens has released firmware updates for most product variants to strengthen encryption. For CP200 variants and some older models, fixes are not planned or not yet available.

What this means

What could happen

An attacker positioned on the network between a client and a SIPROTEC 5 device could intercept and read configuration data, monitoring information, or credentials transmitted to/from the relay due to weak encryption. This could lead to unauthorized access to the device or exposure of sensitive grid/plant configuration details.

Who's at risk

Electric utilities and water authorities operating Siemens SIPROTEC 5 protection relays. The vulnerability affects protection relays used in substations and distribution systems (voltage/current protection, generator protection, feeder protection, transformer protection models), and communication modules that connect these relays to engineering networks. Any organization using DIGSI 5 engineering software or web-based management interfaces to configure and monitor these devices is affected.

How it could be exploited

An attacker performs a man-in-the-middle attack by positioning themselves on the network path between an engineering workstation (running DIGSI 5 software or web interface client) and a SIPROTEC 5 relay. The attacker captures traffic on port 443 (web), port 4443 (DIGSI 5), or syslog-over-TLS port and decrypts it using weak encryption algorithms, exposing plaintext data.

Prerequisites

Network access to the SIPROTEC 5 device from the path between client and relay (man-in-the-middle position)
Access to traffic on ports 443/tcp, 4443/tcp, or configurable syslog-over-TLS port
Client software (DIGSI 5 workstation or web browser) actively communicating with the device

Remotely exploitable via man-in-the-middle positionAffects confidentiality of sensitive operational dataWeak encryption implementationWide range of product variants affectedSome product variants have no fix available

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (69)

47 with fix22 pending

ProductAffected VersionsFix Status

SIPROTEC 5 7SK85 (CP200)All versionsNo fix yet

SIPROTEC 5 7SK85 (CP300)< 9.659.65

SIPROTEC 5 7SL82 (CP100)< 8.908.90

SIPROTEC 5 7SL82 (CP150)< 9.659.65

SIPROTEC 5 7SL86 (CP200)All versionsNo fix yet

Remediation & Mitigation

0/8

Do now

0/1

WORKAROUNDRestrict firewall access to port 443/tcp (web interface), port 4443/tcp (DIGSI 5), and configurable syslog-over-TLS port to trusted IP addresses only

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

SIPROTEC 5 7SL82 (CP100)

HOTFIXUpdate SIPROTEC 5 7SJ81 (CP100), 7SJ82 (CP100), 7SK82 (CP100), and Communication Modules ETH-BA-2EL and ETH-BB-2FO (Rev.1) to firmware version 8.89 or later

SIPROTEC 5 Communication Module ETH-BA-2EL (Rev.1)

HOTFIXUpdate SIPROTEC 5 Communication Modules ETH-BA-2EL (Rev.1), ETH-BB-2FO (Rev.1), and ETH-BD-2FO to firmware version 9.62 or later

SIPROTEC 5 Compact 7SX800 (CP050)

HOTFIXUpdate SIPROTEC 5 Compact 7SX800 (CP050) to firmware version 9.64 or later

SIPROTEC 5 7SK85 (CP300)

HOTFIXUpdate SIPROTEC 5 models 6MD84, 6MD85, 6MD86, 6MD89, 6MU85, 7KE85, 7SS85, 7ST85, 7ST86, 7UM85, 7VE85, 7VU85 (CP300 variants) to firmware version 9.64 or later

HOTFIXUpdate SIPROTEC 5 models 7SA82, 7SD82, 7SJ81, 7SJ82, 7SK82, 7SL82, 7SX82, 7UT82 (CP150 variants), and models 7SA86, 7SA87, 7SD86, 7SD87, 7SJ85, 7SJ86, 7SK85, 7SL86, 7SL87, 7SX85, 7UT85, 7UT86, 7UT87, 7VK87 (CP300 variants) to firmware version 9.65 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate SIPROTEC 5 devices on a separate engineering network with restricted access from untrusted network segments

HARDENINGDeploy VPN or other encrypted tunnels for remote access to SIPROTEC 5 devices to add an additional layer of encryption outside the device

CVEs (1)

CVE-2024-38867

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/930666f8-c9a1-4782-b551-59d8d896a23a