Hitachi Energy Relion 670, 650, SAM600-IO Series (Update A)

Monitor5.9ICS-CERT ICSA-25-160-02Jun 10, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Hitachi Energy Relion 670, 650, and SAM600-IO series are affected by CVE-2022-4304, a vulnerability in the OpenSSL component. An attacker could send timing-based trial messages to the server to record processing times. After sufficient messages, the attacker could recover the pre-master secret from the original TLS connection and decrypt application data sent over that connection.

What this means

What could happen

An attacker who exploits this timing vulnerability could decrypt encrypted communications to and from the Relion device, potentially exposing sensitive control data, configuration settings, or authentication credentials transmitted over the network connection.

Who's at risk

Electric utilities and energy generation facilities using Hitachi Energy Relion 670, 650, or SAM600-IO series protection and control relays should review their deployed versions. This vulnerability affects devices used in power system protection, automation, and remote monitoring—critical to reliable grid operations.

How it could be exploited

An attacker sends multiple timing-probe messages to a Relion device's OpenSSL server and measures response times to infer information about the TLS pre-master secret. After gathering enough timing data across many messages, the attacker reconstructs the secret and uses it to decrypt previously captured encrypted traffic.

Prerequisites

Network access to the Relion device's OpenSSL server port (typically HTTPS/port 443 or other TLS-secured service)
Ability to send repeated probe messages and measure response time differences (requires millisecond-level precision)
Capture of encrypted traffic from an original TLS session to decrypt

remotely exploitablelow complexityno authentication requiredaffects critical infrastructure (energy sector)

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (6)

5 with fix1 pending

ProductAffected VersionsFix Status

Relion 670/650 seriesvers:2.2.0/*No fix yet

Relion 670/650 series650/≥ 2.2.4, ≤ 2.2.4.32.2.4.4 or latest

Relion 670/650/SAM600-IO series650/SAM600-IO/≥ 2.2.1, ≤ 2.2.1.82.2.1.9 or latest

Relion 670/650/SAM600-IO series650/SAM600-IO/≥ 2.2.5, ≤ 2.2.5.52.2.5.6 or latest

Relion 670 series≥ 2.2.2, ≤ 2.2.2.52.2.2.6 or latest

Relion 670 series≥ 2.2.3, ≤ 2.2.3.62.2.3.7 or latest

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGPlace Relion 670/650/SAM600-IO devices behind firewall and isolate from internet-facing networks; do not expose management interfaces to the internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Relion 670/650/SAM600-IO devices to patched versions: 2.2.1.9 or later, 2.2.2.6 or later, 2.2.3.7 or later, 2.2.4.4 or later, or 2.2.5.6 or later depending on your current version

Long-term hardening

0/2

HARDENINGSegment control system networks from business networks to limit attacker access to Relion devices

HARDENINGIf remote access to Relion devices is required, use a VPN with current patches and strong authentication

CVEs (1)

CVE-2022-4304

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/81c8b649-4a13-4084-b1c7-3e513e9b5de5