Siemens SIPROTEC
MonitorCVSS 5.9ICS-CERT ICSA-24-193-14Jul 9, 2024
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
The SIPROTEC 5 protection relays and communication modules implement weak encryption algorithms in their web interface (port 443), DIGSI 5 engineering client communications (port 4443), and syslog-over-TLS functionality. An attacker positioned on the network between a client and the device could decrypt and read plaintext data including configuration, operational parameters, and potentially credentials. Siemens has released firmware updates for most product variants to strengthen encryption. For CP200 variants and some older models, fixes are not planned or not yet available.
What this means
What could happen
An attacker positioned on the network between a client and a SIPROTEC 5 device could intercept and read configuration data, monitoring information, or credentials transmitted to/from the relay due to weak encryption. This could lead to unauthorized access to the device or exposure of sensitive grid/plant configuration details.
Who's at risk
Electric utilities and water authorities operating Siemens SIPROTEC 5 protection relays. The vulnerability affects protection relays used in substations and distribution systems (voltage/current protection, generator protection, feeder protection, transformer protection models), and communication modules that connect these relays to engineering networks. Any organization using DIGSI 5 engineering software or web-based management interfaces to configure and monitor these devices is affected.
How it could be exploited
An attacker performs a man-in-the-middle attack by positioning themselves on the network path between an engineering workstation (running DIGSI 5 software or web interface client) and a SIPROTEC 5 relay. The attacker captures traffic on port 443 (web), port 4443 (DIGSI 5), or syslog-over-TLS port and decrypts it using weak encryption algorithms, exposing plaintext data.
Prerequisites
- Network access to the SIPROTEC 5 device from the path between client and relay (man-in-the-middle position)
- Access to traffic on ports 443/tcp, 4443/tcp, or configurable syslog-over-TLS port
- Client software (DIGSI 5 workstation or web browser) actively communicating with the device
Remotely exploitable via man-in-the-middle positionAffects confidentiality of sensitive operational dataWeak encryption implementationWide range of product variants affectedSome product variants have no fix available
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (69)
47 with fix22 pending
ProductAffected VersionsFix Status
SIPROTEC 5 7SK85 (CP200)All versionsNo fix yet
SIPROTEC 5 7SK85 (CP300)< 9.659.65
SIPROTEC 5 7SL82 (CP100)< 8.908.90
SIPROTEC 5 7SL82 (CP150)< 9.659.65
SIPROTEC 5 7SL86 (CP200)All versionsNo fix yet
Remediation & Mitigation
0/8
Do now
0/1WORKAROUNDRestrict firewall access to port 443/tcp (web interface), port 4443/tcp (DIGSI 5), and configurable syslog-over-TLS port to trusted IP addresses only
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
SIPROTEC 5 7SL82 (CP100)
HOTFIXUpdate SIPROTEC 5 7SJ81 (CP100), 7SJ82 (CP100), 7SK82 (CP100), and Communication Modules ETH-BA-2EL and ETH-BB-2FO (Rev.1) to firmware version 8.89 or later
SIPROTEC 5 Communication Module ETH-BA-2EL (Rev.1)
HOTFIXUpdate SIPROTEC 5 Communication Modules ETH-BA-2EL (Rev.1), ETH-BB-2FO (Rev.1), and ETH-BD-2FO to firmware version 9.62 or later
SIPROTEC 5 Compact 7SX800 (CP050)
HOTFIXUpdate SIPROTEC 5 Compact 7SX800 (CP050) to firmware version 9.64 or later
SIPROTEC 5 7SK85 (CP300)
HOTFIXUpdate SIPROTEC 5 models 6MD84, 6MD85, 6MD86, 6MD89, 6MU85, 7KE85, 7SS85, 7ST85, 7ST86, 7UM85, 7VE85, 7VU85 (CP300 variants) to firmware version 9.64 or later
HOTFIXUpdate SIPROTEC 5 models 7SA82, 7SD82, 7SJ81, 7SJ82, 7SK82, 7SL82, 7SX82, 7UT82 (CP150 variants), and models 7SA86, 7SA87, 7SD86, 7SD87, 7SJ85, 7SJ86, 7SK85, 7SL86, 7SL87, 7SX85, 7UT85, 7UT86, 7UT87, 7VK87 (CP300 variants) to firmware version 9.65 or later
Long-term hardening
0/2HARDENINGImplement network segmentation to isolate SIPROTEC 5 devices on a separate engineering network with restricted access from untrusted network segments
HARDENINGDeploy VPN or other encrypted tunnels for remote access to SIPROTEC 5 devices to add an additional layer of encryption outside the device
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/930666f8-c9a1-4782-b551-59d8d896a23aGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.