OTPulse
FeedAboutContact

Hitachi Energy Relion 670/650/SAM600-IO

Plan Patch8.6ICS-CERT ICSA-25-065-02Mar 6, 2025
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary

Insufficient security control vulnerability in Hitachi Energy Relion 670, 650, and SAM600-IO series products allows users with valid credentials to bypass authorization controls. Affected versions: Relion 670 (2.0.0.0–2.0.0.14, 2.1.0.0–2.1.0.4, 2.2.0.0–2.2.0.x, 2.2.1.0–2.2.1.7, 2.2.2.0–2.2.2.4, 2.2.3.0–2.2.3.4, 2.2.4.0–2.2.4.2, 2.2.5.0–2.2.5.1); Relion 650 (1.0.0.0–1.0.0.x, 1.1.0.0–1.1.0.x, 1.2.0.0–1.2.0.x, 2.2.1.0–2.2.1.7, 2.2.4.0–2.2.4.2, 2.2.5.0–2.2.5.1); SAM600-IO (2.2.1.0–2.2.1.7, 2.2.5.0–2.2.5.1). Exploitation requires valid user credentials and network access to the device configuration interface. Successful exploitation could allow an insider or attacker with stolen credentials to modify relay protection settings, bypass safety interlocks, or disable alarms.

What this means
What could happen
An attacker with valid user credentials could bypass security controls in Hitachi Energy Relion protection relays and monitoring systems, potentially gaining unauthorized access to modify device configurations or disable protective functions in substations.
Who's at risk
This vulnerability affects electrical utilities and substations using Hitachi Energy Relion 670, 650, or SAM600-IO protection relays and monitoring equipment. Anyone with engineering access to these devices should be concerned, as the vulnerability allows credential-authenticated personnel to bypass security controls that normally prevent unauthorized changes to protective relay settings and control logic.
How it could be exploited
An attacker with stolen or default user credentials connects to the affected Relion device (670, 650, or SAM600-IO) via network access to the engineering workstation port or ODBC protocol. The attacker authenticates with valid credentials and exploits the insufficient security control vulnerability to bypass authorization checks, allowing them to change relay settings, trip curves, or control logic without proper escalation controls.
Prerequisites
  • Valid user credentials (engineering workstation login)
  • Network access to the Relion device on the configuration port (typically ODBC protocol)
  • The device must be reachable from the attacker's network location
Requires valid user credentials (reduces but does not eliminate risk)Affects critical substation protection equipmentMultiple versions across three product lines affectedNo fix available for some older versions (1.0.0, 1.1.0, 1.2.0, 2.2.0)Bypasses security controls designed to prevent unauthorized relay modifications
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
Relion 650 series≥ 1.0.0.0|<1.0.1; ≥ 1.1.0.0|<1.1.1; ≥ 1.2.0.0|<1.2.1 and 5 more2.2.1.8 (v2.2.1), 2.2.4.3 (v2.2.4), 2.2.5.2 (v2.2.5), 2.1.0.5 (v2.1.0), 1.3.0.8 (v1.3.0)
Relion 670 series≥ 2.0.0.0|≤ 2.0.0.14; ≥ 2.1.0.0|≤ 2.1.0.4; ≥ 2.2.0.0|<2.2.1 and 5 more2.2.1.8 (v2.2.1), 2.2.2.5 (v2.2.2), 2.2.3.5 (v2.2.3), 2.2.4.3 (v2.2.4), 2.2.5.2 (v2.2.5), 2.1.0.5 (v2.1.0), 2.0.0.14 (v2.0.0)
Relion SAM600-IO series≥ 2.2.1.0|≤ 2.2.1.72.2.1.8 (v2.2.1), 2.2.5.2 (v2.2.5)
Relion SAM600-IO series≥ 2.2.5.0|≤ 2.2.5.12.2.1.8 (v2.2.1), 2.2.5.2 (v2.2.5)
Remediation & Mitigation
0/6
Do now
0/2
WORKAROUNDRestrict network access to ODBC configuration ports on Relion devices to engineering workstations only using firewall rules
WORKAROUNDDisable remote access to configuration interfaces unless absolutely required for operations
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Relion 670/650/SAM600-IO series to the specific patched version matching your current version (e.g., 2.2.1.8 for v2.2.1, 2.2.2.5 for v2.2.2, 2.2.3.5 for v2.2.3, 2.2.4.3 for v2.2.4, 2.2.5.2 for v2.2.5, 2.1.0.5 for v2.1.0, or 2.0.0.14 for v2.0.0)
Long-term hardening
0/3
HARDENINGImplement network segmentation to isolate the substation control network from corporate IT networks and the Internet
HARDENINGImplement strict credential management policies including regular password changes, elimination of default credentials, and multi-factor authentication where supported
HARDENINGProhibit direct Internet connectivity for Relion devices and control systems
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/959c2580-a083-4fe5-b663-95e9d4e7e479
Hitachi Energy Relion 670/650/SAM600-IO | CVSS 8.6 - OTPulse