ICS Advisory

Hitachi Energy IEC 61850 MMS-Server

Release Date
Alert Code
ICSA-23-089-01

1. EXECUTIVE SUMMARY

  • CVSS v3 5.9
  • ATTENTION: Exploitable remotely
  • Vendor: Hitachi Energy
  • Equipment: IEC 61850 MMS-Server
  • Vulnerability: Improper Resource Shutdown or Release

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause products using the IEC 61850 MMS-server communication stack to stop accepting new MMS-client connections.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions Hitachi Energy equipment using the IEC 61850 communication stack are affected:

  • TXpert Hub CoreTec 4 version 2.0.x
  • TXpert Hub CoreTec 4 version 2.1.x
  • TXpert Hub CoreTec 4 version 2.2.x
  • TXpert Hub CoreTec 4 version 2.3.x
  • TXpert Hub CoreTec 4 version 2.4.x
  • TXpert Hub CoreTec 4 version 3.0.x
  • TXpert Hub CoreTec 5 version 3.0.x
  • Tego1_r15b08 (FOX615 System Release R15B)
  • Tego1_r2a16_03 (FOX615 System Release R14A)
  • Tego1_r2a16
  • Tego1_r1e01
  • Tego1_r1d02
  • Tego1_r1c07
  • Tego1_r1b02
  • GMS600 version 1.3
  • Relion 670 1.2 (Limited)
  • Relion 670 2.0 (Limited)
  • Relion 650 version 1.1 (Limited)
  • Relion 650 version 1.3 (Limited)
  • Relion 650 version 2.1 (Classic)
  • Relion 670 version 2.1 (Classic)
  • Relion SAM600-IO 2.2.1
  • Relion SAM600-IO 2.2.5
  • Relion 670/650 version 2.2.0
  • Relion 670/650 version 2.2.1
  • Relion 670/650 version 2.2.2
  • Relion 670/650 version 2.2.3
  • Relion 670/650 version 2.2.4
  • Relion 670/650 version 2.2.5
  • ITT600 SA Explorer version 1.1.0
  • ITT600 SA Explorer version 1.1.1
  • ITT600 SA Explorer version 1.1.2
  • ITT600 SA Explorer version 1.5.0
  • ITT600 SA Explorer version 1.5.1
  • ITT600 SA Explorer version 1.6.0
  • ITT600 SA Explorer version 1.6.0.1
  • ITT600 SA Explorer version 1.7.0
  • ITT600 SA Explorer version 1.7.2
  • ITT600 SA Explorer version 1.8.0
  • ITT600 SA Explorer version 2.0.1
  • ITT600 SA Explorer version 2.0.2
  • ITT600 SA Explorer version 2.0.3
  • ITT600 SA Explorer version 2.0.4.1
  • ITT600 SA Explorer version 2.0.5.0
  • ITT600 SA Explorer version 2.0.5.4
  • ITT600 SA Explorer version 2.1.0.4
  • ITT600 SA Explorer version 2.1.0.5
  • MSM version 2.2.3 and prior
  • PWC600 version 1.0
  • PWC600 version 1.1
  • PWC600 version 1.2
  • REB500 all V8.x versions
  • REB500 all V7.x versions
  • RTU500 series CMU Firmware version 12.0.1 to 12.0.14
  • RTU500 series CMU Firmware version 12.2.1 to 12.2.11
  • RTU500 series CMU Firmware version 12.4.1 to 12.4.11
  • RTU500 series CMU Firmware version 12.6.1 to 12.6.8  
  • RTU500 series CMU Firmware version 12.7.1 to 12.7.4  
  • RTU500 series CMU Firmware version 13.2.1 to 13.2.5  
  • RTU500 series CMU Firmware version 13.3.1 to 13.3.3  
  • RTU500 series CMU Firmware version 13.4.1
  • SYS600 version 10.1 to 10.3.1

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404
An attacker could exploit the IEC 61850 MMS-Server communication stack by forcing the communication stack to stop accepting new MMS-client connections.

CVE-2022-3353 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported this vulnerability to CISA.

4. MITIGATIONS

Hitachi Energy provided updates for the following products. Contact Hitachi Energy for update information.

  • MSM Server update to version 2.2.5
  • tego1_r15b08 (FOX615 System Release R15B) update to tego1_r16a11 (FOX615 System Release R16A)
  • REB500 all V8.x versions update to REB500 firmware to version 8.3.3.0 when released.
  • RTU500 series CMU Firmware version 12.0.1 to 12.0.14 Update to CMU Firmware version 12.0.15
  • RTU500 series CMU Firmware version 12.2.1 to 12.2.11 Update to CMU Firmware version 12.2.12
  • RTU500 series CMU Firmware version 12.4.1 to 12.4.11 Update to CMU Firmware version 12.4.12
  • RTU500 series CMU Firmware version 12.6.1 to 12.6.8 Update to CMU Firmware version 12.6.9
  • RTU500 series CMU Firmware version 12.7.1 to 12.7.4 Update to CMU Firmware version 12.7.5
  • RTU500 series CMU Firmware version 13.2.1 to 13.2.5 Update to CMU Firmware version 13.2.6
  • RTU500 series CMU Firmware version 13.3.1 to 13.3.3 Update to CMU Firmware version 13.3.4
  • RTU500 series CMU Firmware version 13.4.1 Update to CMU Firmware version 13.4.2
  • SYS600 version 10.1 to 10.3.1 update to SYS600 version 10.4.1

For all versions, Hitachi Energy recommends that users apply these general mitigation factors: 

  • Upgrade the system once a remediated version is available.
  • Apply Hitachi Energy recommended security practices and firewall configurations to help protect a process control network from attacks that originate from outside the network. Such practices include: 
    • Physically protecting process control systems from direct access by unauthorized personnel.
    • Not allowing direct connections to the internet.
      • Process control systems should not be used for internet surfing, instant messaging, or receiving emails.
    • Use a firewall system that has a minimal number of exposed ports to separate the process control network from other networks. 
      • Connection to other networks must be evaluated as necessary. 
    • Scan portable computers and removable storage media carefully for viruses before connection to a control system.
  • MSM is not designed nor intended to be connected to the internet. Disconnect the device from any internet facing network.
    • Adopt user access management and updated antivirus protection engines equipped with the latest signature rules for computers that have installed and are operating the MMS Client application. 
    • Use the default operating system (OS) user access management function to limit unauthorized access and/or rogue commands via the MMS Client application.

For more information, see the Hitachi Energy advisories for the corresponding affected products: 

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability has a high attack complexity.

This product is provided subject to this Notification and this Privacy & Use policy.