Attackers can gain access to power-system protection, risking disruptions in power supply
Positive Technologies experts Ilya Karpov, Dmitry Sklyarov, and Alexey Stennikov detected high-risk vulnerabilities in power-system protection from Siemens that is used to control and protect such power supply facilities equipment as electrical substations or hydroelectric power stations. Siemens has fixed the vulnerabilities and issued the corresponding advisories.
SIPROTEC 4, SIPROTEC Compact, and Reyrolle, which use the EN100 communication module and DIGSI 4 software, are vulnerable. By exploiting these vulnerabilities, an attacker is able to change the configuration of power-system protection relay which can lead to disruption of the power equipment protection function (and potentially to an accident) or customer curtailment.
The most significant hazard lies with CVE-2018-4840, which can be exploited remotely by an attacker with moderate skills. The device engineering mechanism allows an unauthenticated remote user to upload a modified device configuration overwriting access authorization passwords.
he following products are prone to this vulnerability:
- DIGSI 4: all versions released before V4.92
- EN100 IEC 61850: all versions released before V4.30
- EN100 PROFINET IO: all versions
- EN100 Modbus TCP: all versions
- EN100 DNP3: all versions
- EN100 IEC 104: all versions
CVE-2018-4839 gives an attacker full access to a device. By intercepting network traffic or obtaining data from the device, an attacker can recover access authorization passwords to the following equipment:
- SIPROTEC 4 7SJ66: all versions released before V4.30
- SIPROTEC Compact 7SJ80: all versions released before V4.77
- SIPROTEC Compact 7SK80: all versions released before V4.77
- Other SIPROTEC Compact devices: all versions
- Other SIPROTEC 4 devices: all versions
CVE-2018-4838 allows an intruder to remotely upload an obsolete firmware version that contains known vulnerabilities and to execute code on the target system. Devices that use the EN100 communication module (SIPROTEC 4, SIPROTEC Compact, and Reyrolle) can be attacked.
The following modifications of EN100 are vulnerable:
- EN100 IEC 61850: all versions released before V4.30
- EN100 PROFINET IO: all versions
- EN100 Modbus TCP: all versions
- EN100 DNP3: all versions
- EN100 IEC 104: all versions
To eliminate the vulnerabilities, follow the vendor's recommendations (for CVE-2018-4840 and CVE-2018-4839, for CVE-2018-4838).
To detect cyber incidents and vulnerabilities in SCADA systems, Positive Technologies offers PT ISIM and MaxPatrol that take into account peculiarities of industrial protocols.
