Siemens SIPROTEC 5

Monitor4.6ICS-CERT ICSA-25-044-03Feb 11, 2025

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIPROTEC 5 protection relays do not encrypt sensitive data stored on the on-board flash memory in their circuit boards. An attacker with physical access to the device could read and extract this unencrypted data, potentially obtaining credentials, configuration details, or other security-sensitive information. Siemens is preparing firmware updates to address this issue but currently no patches are available. Until fixes are released, operators should implement physical security controls and rely on redundant protection schemes to mitigate risk.

What this means

What could happen

An attacker with physical access to a SIPROTEC 5 device could extract sensitive data (such as credentials or configuration) directly from the flash storage on the circuit board, potentially compromising protection scheme settings or authentication mechanisms.

Who's at risk

Electric utilities and grid operators managing SIPROTEC 5 protection relays (used in substations, power distribution, and transmission systems) should prioritize physical security measures. This affects a wide range of Siemens protection devices including feeder, distance, differential, and current protection relays across all CP100, CP150, CP200, and CP300 computing platforms.

How it could be exploited

An attacker with physical access to the device removes or reads the unencrypted flash memory on the PCB to extract sensitive data stored in the filesystem. This requires the attacker to open the device enclosure and have knowledge of how to dump or read flash memory contents.

Prerequisites

Physical access to the device
Ability to access the PCB and flash memory chips
Tools to read flash memory (e.g., flash programmer or memory dumper)

no patch availablephysical access requiredaffects critical infrastructuresensitive data exposure

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (61)

61 pending

ProductAffected VersionsFix Status

SIPROTEC 5 6MD85 (CP300)All versionsNo fix yet

SIPROTEC 5 6MD86 (CP200)All versionsNo fix yet

SIPROTEC 5 6MD86 (CP300)All versionsNo fix yet

SIPROTEC 5 6MD89 (CP300)All versionsNo fix yet

SIPROTEC 5 6MU85 (CP300)All versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict physical access to SIPROTEC 5 devices through secured enclosures, locked rooms, and access controls to prevent attacker tampering

HARDENINGApply network segmentation and firewall rules to limit network access to devices; do not expose management interfaces to untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor Siemens security updates and apply vendor fixes when available in your maintenance schedule

Long-term hardening

0/2

HARDENINGImplement multi-level redundant protection schemes to reduce reliance on a single device and increase grid resilience against loss of a compromised unit

HARDENINGConfigure the environment according to Siemens operational guidelines to run devices in a protected IT environment

CVEs (1)

CVE-2024-53651

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3008171f-341f-44e5-a395-0247b79a1dec