Hitachi Energy Relion 670, 650 and SAM600-IO Series

1. EXECUTIVE SUMMARY

• CVSS v3 4.5
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Hitachi Energy
• Equipment: Relion 670, 650, and SAM600-IO Series
• Vulnerability: Insufficient Verification of Data Authenticity

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause the Intelligent Electronic Device (IED) to restart, causing a temporary denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Hitachi Energy reports this vulnerability affects the following Relion 670, 650 and SAM600-IO Series products: 

• Relion 670/650 series version 2.2.0
• Relion 670/650/SAM600-io series version 2.2.1
• Relion 670 series version 2.2.2
• Relion 670 series version 2.2.3
• Relion 670/650 series version 2.2.4
• Relion 670/650 series version 2.2.5

3.2 VULNERABILITY OVERVIEW

3.2.1    INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345

The Hitachi Energy Relion update package signature validation contains an improper access control vulnerability. A tampered update package could cause the IED to restart. After a restart, the device returns to normal operation. An attacker could exploit the vulnerability by gaining access to the system with security privileges and then attempting to update the IED with a malicious update package. Successful exploitation of this vulnerability could cause the IED to restart, causing a temporary denial-of-service condition.

CVE-2022-3864 has been assigned to this vulnerability. A CVSS v3 base score of 4.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland 

3.4 RESEARCHER

Nozomi Networks Labs reported this vulnerability to Hitachi Energy.

4. MITIGATIONS

Hitachi Energy recommends users disable Field Service Tool access and only enable it on an as-needed basis, such as for planned upgrades.

Hitachi Energy recommends the following general mitigation factors and security practices:

• Configure firewalls to protect process control networks from attacks originating from outside the network.
• Physically protect process control systems from direct access by unauthorized personnel.
• Avoid directly connecting control systems to the internet.
• Separate process control networks from other networks via a firewall system with minimal exposed ports.
• Users should not use process control systems for internet surfing, instant messaging, or email.
• Portable computers and removable storage media should be carefully scanned for viruses before connecting to a control system.
• Enforce proper password policies and processes.

For more information, see Hitachi security advisory 8DBD000146.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploits specifically target this vulnerability. This vulnerability is exploitable remotely. This vulnerability has low attack complexity.