Siemens SIPROTEC 5

MonitorCVSS 4.6ICS-CERT ICSA-25-044-03Feb 11, 2025

Siemens

Attack path

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIPROTEC 5 devices store sensitive data in on-board flash memory without encryption. This allows an attacker with physical access to extract unencrypted information from the device's filesystem, potentially revealing passwords, keys, or configuration data. Affected product variants include all versions of 6MD, 6MU, 7K, 7S, 7U, and 7V series protection relays across multiple processor card options (CP050, CP100, CP150, CP200, CP300). Siemens is developing firmware updates with flash memory encryption but has not yet released fixes. The company recommends network segmentation, physical security, and redundant protection schemes as interim controls.

What this means

What could happen

An attacker with physical access to a SIPROTEC 5 device could extract sensitive unencrypted data from the on-board flash storage, potentially revealing passwords, encryption keys, or configuration details that could aid further attacks on power system protection schemes.

Who's at risk

This affects operators of electric power systems, utilities, and industrial sites that rely on Siemens SIPROTEC 5 protection and control relays for secondary protection schemes, backup protection, or transformer/line protection. These devices are common in high-voltage substations, distribution networks, and critical power infrastructure worldwide.

How it could be exploited

An attacker would need to physically open or disassemble the SIPROTEC 5 device, remove or probe the on-board flash memory chip (PCB), and read the unencrypted filesystem data using standard flash memory extraction tools or techniques. No network access is required.

Prerequisites

Physical access to the SIPROTEC 5 device
Ability to remove or probe on-board flash memory chip
Flash memory extraction tools or equipment

No patch currently availablePhysical access attack vectorAffects critical infrastructure (power systems)Unencrypted sensitive data storageSiemens committed to develop fixes but timeline unclear

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (61)

61 pending

ProductAffected VersionsFix Status

SIPROTEC 5 6MD85 (CP300)All versionsNo fix yet

SIPROTEC 5 6MD86 (CP200)All versionsNo fix yet

SIPROTEC 5 6MD86 (CP300)All versionsNo fix yet

SIPROTEC 5 6MD89 (CP300)All versionsNo fix yet

SIPROTEC 5 6MU85 (CP300)All versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDMaintain an inventory of all SIPROTEC 5 devices in your protection scheme and monitor Siemens security announcements for when firmware updates with encryption fixes become available

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply security updates immediately once Siemens releases firmware versions with flash memory encryption, following documented procedures and validation protocols

Long-term hardening

0/3

HARDENINGImplement physical security controls to restrict unauthorized physical access to SIPROTEC 5 devices, including locked cabinets, surveillance, and access logs

HARDENINGApply geographic or network-based redundancy and multi-level secondary protection schemes to minimize impact if a single device's configuration is compromised

HARDENINGSegment SIPROTEC 5 devices onto protected networks with firewalls and access controls to limit lateral movement if extracted credentials are used elsewhere

CVEs (1)

CVE-2024-53651

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3008171f-341f-44e5-a395-0247b79a1dec

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.