Hitachi Energy Relion 670/650/SAM600-IO

Plan PatchCVSS 8.6ICS-CERT ICSA-25-065-02Mar 6, 2025

Hitachi EnergyEnergy

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Hitachi Energy Relion 670/650/SAM600-IO series products contain an insufficient security control vulnerability (CWE-274) that allows users with valid credentials to bypass intended access restrictions. Affected versions include Relion 650 series (versions 1.0.0 through 2.2.x), Relion 670 series (versions 2.0.0 through 2.2.x), and SAM600-IO series (versions 2.2.1 and 2.2.5). The vulnerability could allow credential-authenticated users to circumvent security controls and gain unauthorized access to device functions and configuration.

What this means

What could happen

An attacker with valid user credentials could bypass security controls in the Relion device, potentially gaining unauthorized access to device functions and configuration settings they should not be able to modify.

Who's at risk

Electric utilities and other power industry operators using Hitachi Energy Relion 670, Relion 650, or SAM600-IO series protection and control relays. These devices typically protect and monitor substation equipment including transformers, lines, and generation. If compromised, an attacker with credentials could alter protective relay settings, change operating parameters, or disable protection functions, affecting grid stability and equipment safety.

How it could be exploited

An attacker with valid credentials to the Relion device (obtained through credential theft, insider access, or credential compromise) could authenticate and exploit insufficient security control enforcement to bypass intended access restrictions and perform unauthorized configuration changes or access protected functions.

Prerequisites

Valid user credentials for the Relion device
Network access to the Relion device (local network or remote if remote access is enabled)
Knowledge of a valid username and password

High CVSS score (8.6)Requires valid user credentials but security controls can be bypassedAffects critical power grid protection equipmentMultiple product versions and series affected

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

Relion 650 series≥ 1.0.0.0|<1.0.1≥ 1.1.0.0|<1.1.1≥ 1.2.0.0|<1.2.1 and 5 more2.2.1.8 (v2.2.1), 2.2.4.3 (v2.2.4), 2.2.5.2 (v2.2.5), 2.1.0.5 (v2.1.0), 1.3.0.8 (v1.3.0)

Relion 670 series≥ 2.0.0.0|≤ 2.0.0.14≥ 2.1.0.0|≤ 2.1.0.4≥ 2.2.0.0|<2.2.1 and 5 more2.2.1.8 (v2.2.1), 2.2.2.5 (v2.2.2), 2.2.3.5 (v2.2.3), 2.2.4.3 (v2.2.4), 2.2.5.2 (v2.2.5), 2.1.0.5 (v2.1.0), 2.0.0.14 (v2.0.0)

Relion SAM600-IO series≥ 2.2.1.0|≤ 2.2.1.72.2.1.8 (v2.2.1), 2.2.5.2 (v2.2.5)

Relion SAM600-IO series≥ 2.2.5.0|≤ 2.2.5.12.2.1.8 (v2.2.1), 2.2.5.2 (v2.2.5)

Remediation & Mitigation

0/17

Do now

0/3

HARDENINGRestrict ODBC protocol access to the local substation network only; disable remote ODBC connections if not required

HARDENINGImplement firewall rules to restrict network access to Relion devices, exposing only the minimum necessary ports from authorized networks

HARDENINGImplement strong password policies and credential management controls to protect Relion device user accounts

Schedule — requires maintenance window

0/14

Patching may require device reboot — plan for process interruption

CVEs (1)

CVE-2021-35534

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/959c2580-a083-4fe5-b663-95e9d4e7e479

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.