Cleartext Storage of Sensitive Information Vulnerability in SIPROTEC 5

Monitor4.6SSA-111547Feb 11, 2025

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIPROTEC 5 protection relay devices do not encrypt sensitive information stored on onboard flash memory in the circuit board. An attacker with physical access to the device could extract unencrypted credentials, configuration data, or other sensitive information from the flash storage. This affects all versions of 60 SIPROTEC 5 device models across multiple product families used in power system protection. Siemens is preparing fix versions and recommends implementing compensating security controls including physical access restrictions, network segmentation, and verification of redundant protection schemes in the grid design. For now, no patches are available, making operational security measures essential.

What this means

What could happen

An attacker with physical access to a SIPROTEC 5 device can extract sensitive information (such as credentials or configuration data) from unencrypted flash storage on the circuit board. This could lead to compromise of the protection relay's credentials or unauthorized changes to grid protection logic if the extracted data is used in a subsequent attack.

Who's at risk

Utility operators managing electrical distribution and transmission networks (TSOs and DSOs) who deploy Siemens SIPROTEC 5 protection relays. These devices are critical secondary protection equipment in substations and power plants that prevent cascading failures by isolating faults in the grid. Affected product lines include multiple protection relay models (6MD, 7KE, 7SA, 7SD, 7SJ, 7SK, 7SL, 7SS, 7ST, 7SX, 7SY, 7UM, 7UT, 7VE, 7VK, 7VU series and the Compact 7SX800).

How it could be exploited

An attacker must physically access the SIPROTEC 5 device and remove or read the onboard flash memory from the PCB. The sensitive data is stored in plaintext on the flash storage, allowing direct extraction of credentials or configuration information that could be used to authenticate to the device or other systems.

Prerequisites

Physical access to the SIPROTEC 5 device
Ability to extract or read flash memory from the device circuit board
Tools to read and parse flash memory contents

no patch availablephysical access requiredaffects critical power grid protection equipment

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (61)

61 pending

ProductAffected VersionsFix Status

SIPROTEC 5 6MD84 (CP300)All versionsNo fix yet

SIPROTEC 5 6MD85 (CP200)All versionsNo fix yet

SIPROTEC 5 6MD85 (CP300)All versionsNo fix yet

SIPROTEC 5 6MD86 (CP200)All versionsNo fix yet

SIPROTEC 5 6MD86 (CP300)All versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGImplement physical security controls to restrict unauthorized access to SIPROTEC 5 devices (locked cabinets, surveillance, access logs)

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGSegment SIPROTEC 5 devices on isolated network zones with firewall rules restricting administrative access

HARDENINGDeploy network-based monitoring and intrusion detection on circuits connected to SIPROTEC 5 devices to detect credential misuse

HOTFIXMonitor Siemens security updates and apply patches when available

Long-term hardening

0/1

HARDENINGVerify that multi-level redundant secondary protection schemes are in place according to regulatory requirements for critical power infrastructure

CVEs (1)

CVE-2024-53651

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/80eae0c0-b8d7-47a5-ad03-08d56393227f