Post on 26-Jul-2018
SIPROTEC and SICAM Cyber Security
Cyber Security – Product Update ReportJune 2018
https://www.siemens.com/gridsecurity
June 18Cyber Security - Product Update Report
June 2018 2 Edition 1
SIPROTEC & SICAM Product Security UpdateReportJune 18
Dear customer,
Thank you for choosing our products to address your energy automation needs. This report provides anoverview on the latest security-related product updates released by Siemens for the SIPROTEC and SICAMrange of products, spanning:
Protection, Bay Controller and Fault Recorder
SIPROTEC 4
SIPROTEC 5
SIPROTEC Compact
Associated engineering and evaluation software
Substation Automation, RTUs and Power Quality
SICAM Substation Automation
SICAM A8000 / SICAM RTUs
SICAM Power Quality and Measurements
SICAM Accessories
Should you have any questions or need further information in this regard, please contact your SiemensPartner or our Customer Support Center at support.energy@siemens.com.
Reports ArchiveYou can retrieve the security update report for the year 2017 here, and for 2016 here.
June 18
Edition 1 3 June 2018
Security Updates for SIPROTEC and SICAM Products
Important Updates
Product UpdatesJune 2018: SICAM PAS/PQS V8.11 with security-relevant updates⇓ click here for details.
SICAM PQ Analyzer V3.11 with security-relevant updates ⇓ click here for details.
DIGSI 5 V7.80 with security-relevant updates⇓ click here for details.
IEC 61850 System Configurator V5.80 with security-relevant updates⇓ click here fordetails.
Security AdvisoriesJune 2018: New security advisory SSA-159860 released for DIGSI 4, DIGSI 5, IEC 61850 System
Configurator, SICAM PAS/PQS, SICAM PQ Analyzer and SICAM SCC⇓ Use theproduct-related links above for details. Click here for DIGSI 4 and here for SICAM SCC.
Microsoft Windows Security Patch Compatibility ReportsThe Microsoft Windows Security patch compatibility reports for the SIPROTEC and SICAM family of PC-basedsoftware products can be found under Downloads tab⇓ Software⇓ Security Patch Management at this link:
https://w3.siemens.com/smartgrid/global/en/products-systems-solutions/cyber-security/Pages/products.aspx
Information related to Security Patch Management PracticesIn order to maximize the operational security and availability of critical systems, Siemens stronglyrecommends customers to upgrade to supported versions of Microsoft Windows operating systems andWindows-based Siemens products, and to systematically practice security patch management. Siemensrecommends customers to sign up for its patch management and system maintenance services, which enablecustomers to receive tailored security patch management recommendations with minimized delays.
Cyber Security - Product Updates
June 2018 4 Edition 1
SIPROTEC 4SECURITY UPDATE OVERVIEW
Jan-18 Feb-18 Mar-18 Apr-18 May-18 Jun-18 Jul-18 Aug-18 Sep-18 Oct-18 Nov-18 Dec-18 Most recent firmwareversion with securityupdate
Overcurrent Protection
SIPROTEC 7SJ66 Advisory V4.30, March 2018 (click for more
information)
Distance Protection
No security updates in the past month Advisory Mitigations and workarounds
available (click for more
information)
Line Differential Protection
No security updates in the past month Advisory Mitigations and workarounds
available (click for more
information)
Transformer Protection
No security updates in the past month Advisory Mitigations and workarounds
available (click for more
information)
Busbar Protection
No security updates in the past month Advisory Mitigations and workarounds
available (click for more
information)
Generator Protection
No security updates in the past month Advisory Mitigations and workarounds
available (click for more
information)
June 18
Edition 1 5 June 2018
SIPROTEC 4SECURITY UPDATE OVERVIEW
Jan-18 Feb-18 Mar-18 Apr-18 May-18 Jun-18 Jul-18 Aug-18 Sep-18 Oct-18 Nov-18 Dec-18 Most recent firmwareversion with securityupdate
High Speed Busbar Transfer
No security updates in the past month Advisory Mitigations and workarounds
available (click for more
information)
Bay Controller
No security updates in the past month Advisory Mitigations and workarounds
available (click for more
information)
V/f-Relays
No security updates in the past month Advisory Mitigations and workarounds
available (click for more
information)
Transient Earth Fault Relay
No security updates in the past month Advisory Mitigations and workarounds
available (click for more
information)
Breaker Failure Protection
No security updates in the past month Advisory Mitigations and workarounds
available (click for more
information)
Breaker Management
No security updates in the past month Advisory Mitigations and workarounds
available (click for more
information)
Cyber Security - Product Updates
June 2018 6 Edition 1
SIPROTEC 4SECURITY UPDATE OVERVIEW
Jan-18 Feb-18 Mar-18 Apr-18 May-18 Jun-18 Jul-18 Aug-18 Sep-18 Oct-18 Nov-18 Dec-18 Most recent firmwareversion with securityupdate
SIPROTEC 4 – Communication Interfaces
IEC 61850 communication module Advisory V4.30, March 2018 (click for more
information)
DNP3 TCP communication module Advisory V1.04, April 2018 (click for more
information)
IEC 104 communication module Advisory Mitigations and workarounds
available (click for more
information)
PROFINET IO communication module Advisory Mitigations and workarounds
available (click for more
information)
MODBUS TCP communication module Advisory Mitigations and workarounds
available (click for more
information)
Communication module included in SIPROTEC
Merging Unit 6MU80
V1.02.02, July 2017 (click for more
information)
April 2018: SIPROTEC 4 Security Updates
Existing Security Advisories SSA-203306 and SSA-845879 UpdatedEN100 E+/O+ DNP3 TCP Communication Module firmware version V1.04 released to address multiple vulnerabilities. More information can be found under:https://cert-portal.siemens.com/productcert/pdf/ssa-203306.pdf and https://cert-portal.siemens.com/productcert/pdf/ssa-845879.pdf
March 2018: SIPROTEC 4 Security Updates
Security Advisories SSA-203306 and SSA-845879
June 18
Edition 1 7 June 2018
- EN100 E+/O+ IEC 61850 Communication Module firmware version V4.30 released to address multiple vulnerabilities. More information, including mitigationsand workarounds for EN100 module variants with pending firmware updates are can be found under: https://cert-portal.siemens.com/productcert/pdf/ssa-203306.pdf and https://cert-portal.siemens.com/productcert/pdf/ssa-845879.pdf
- SIPROTEC 4 protection relay firmware are affected with a vulnerability. SIPROETC 7SJ66 firmware version V4.30 released to address the vulnerability. Moreinformation, including mitigations and workarounds for relays with pending firmware updates are can be found under: https://cert-portal.siemens.com/productcert/pdf/ssa-203306.pdf
October 2017: Security Updates for Products of the SIPROTEC 4 and SIPROTEC Compact Families
Security Advisories- SSA-323211: An existing security advisory SSA-323211 has been updated to correct the list of vulnerabilities affecting the SIPROTEC 7SJ66 device.
More information can be found under: https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-323211.pdfSeptember 2017: Security Updates for Products of the SIPROTEC 4 and SIPROTEC Compact Families
Security Advisories- SSA-323211: An existing security advisory SSA-323211 has been updated to inform about the availability of firmware update V1.11.0 to the MODBUS TCP
communication protocol variant of our EN100 Ethernet module.More information can be found under: https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-323211.pdf
July 2017: Security Updates for Products of the SIPROTEC 4 and SIPROTEC Compact Families
Security Advisory SSA-323211- EN100 Ethernet Communication Module DNP3 TCP firmware version : V1.03- EN100 Ethernet Communication Module IEC 104 firmware version : V1.21- EN100 Ethernet Communication Module PROFINET IO firmware version : V1.04.01- EN100 Ethernet Communication Module MODBUS TCP firmware version : V1.10.01- EN100 Ethernet Communication Module included in SIPROTEC Merging Unit 6MU80: V1.02.02- SIPROTEC 7SJ66 firmware version: V4.23
Multiple vulnerabilities have been addressed.More information can be found under: https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-323211.pdf
September 2016: IEC 61850 Communication Module Security Update
Security Advisory SSA-630413- Firmware version: V4.29
Cyber Security - Product Updates
June 2018 8 Edition 1
Multiple vulnerabilities have been addressed.More information can be found under: https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-630413.pdf
June 18
Edition 1 9 June 2018
SIPROTEC 5SECURITY UPDATE OVERVIEW
Jan-18
Feb-18
Mar-18
Apr-18
May-18
Jun-18
Jul-18 Aug-18
Sep-18
Oct-18
Nov-18
Dec-18
Most recent firmwareversion with security-relevant update
Overcurrent Protection
SIPROTEC 7SJ82, 7SJ85, 7SJ86 V7.50, Aug 2017. Click here for
details on security-relevant updates.
Distance Protection
SIPROTEC 7SA82, 7SA86, 7SA87 V7.50, Aug 2017. Click here for
details on security-relevant updates.
Line Differential Protection
SIPROTEC 7SD82, 7SD86, 7SD87 V7.50, Aug 2017. Click here for
details on security-relevant updates.
Line Differential and Distance Protection
SIPROTEC 7SL82, 7SL86, 7SL87 V7.50, Aug 2017. Click here for
details on security-relevant updates.
Breaker Management
No security updates in the past month
Transformer Protection
SIPROTEC 7UT82, 7UT85, 7UT86, 7UT87 V7.50, Aug 2017. Click here for
details on security-relevant updates.
Motor Protection
SIPROTEC 7SK82, 7SK85 V7.50, Aug 2017. Click here for
details on security-relevant updates.
Generator Protection
SIPROTEC 7UM85 V7.50, Aug 2017. Click here for
Cyber Security - Product Updates
June 2018 10 Edition 1
SIPROTEC 5SECURITY UPDATE OVERVIEW
Jan-18
Feb-18
Mar-18
Apr-18
May-18
Jun-18
Jul-18 Aug-18
Sep-18
Oct-18
Nov-18
Dec-18
Most recent firmwareversion with security-relevant update
details on security-relevant updates.
Busbar Protection
SIPROTEC 7SS85 V7.50, Aug 2017. Click here for
details on security-relevant updates.
Bay Controller
SIPROTEC 6MD85, 6MD86, 6MD89 V7.50, Aug 2017. Click here for
details on security-relevant updates.
Fault Recorder
SIPROTEC 7KE85 V7.50, Aug 2017. Click here for
details on security-relevant updates.
SIPROTEC 5 – Communication Interfaces
No security updates in the past month
August 2017: Security-relevant updates in SIPROTEC 5 Firmware V7.50, covering select device types
In August 2017 we released the version V7.50 for select SIPROTEC 5 device types (see table above) with the following security-relevant updates.
Security-relevant Features- New central logging functionality for security-relevant events and alarms (Syslog support): All security-relevant events and alarms that are recorded in the device-
internal security log can also be simultaneously transferred to central syslog servers, in order to facilitate substation-wide aggregation of all security-relevantevents in keeping with requirements from standards and guidelines such as IEEE 1686, IEC 62443 and BDEW Whitepaper
Third-party Software Related Updates- Secure communication between DIGSI 5 and SIPROTEC 5 devices is handled on the device side with the OpenSSL component (https://www.openssl.org/).
The OpenSSL version has been updated to 1.0.2K to address multiple reported vulnerabilities: CVE-2017-3731, CVE-2017-3730, CVE-2017-3732, CVE-2016-7055and others fixed by preceding OpenSSL versions.
June 18
Edition 1 11 June 2018
July 2016: Security-relevant updates in SIPROTEC 5 Firmware V7.30, covering select device types
In July 2016 we released the version V7.30 for select SIPROTEC 5 device types (see table above) with the following security-relevant updates.
Third-party Software Related Updates- Applied security fix to Wind River VXWorks to address CVE-2015-3963. Vendor Note: The VxWorks software generates predictable TCP initial sequence numbers
that may allow an attacker to predict the TCP initial sequence numbers from previous values, which may allow an attacker to spoof or disrupt TCP connections.- Secure communication between DIGSI 5 and SIPROTEC 5 devices is handled on the device side with the OpenSSL component (https://www.openssl.org/).
The OpenSSL version has been updated to 1.0.2H to address multiple reported vulnerabilities – CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108,CVE-2016-2109, CVE-2016-2176, CVE-2016-0703, CVE-2016-0704 and others fixed by preceding OpenSSL versions.
Cyber Security - Product Updates
June 2018 12 Edition 1
SIPROTEC COMPACTSECURITY UPDATE OVERVIEW
Jan-18 Feb-18Mar-18 Apr-18 May-18
Jun-18 Jul-18 Aug-18 Sep-18 Oct-18 Nov-18 Dec-18Most recent firmwareversion with securityupdate
Overcurrent Protection
SIPROTEC 7SJ80 Advisory V4.77, March 2018 (click for more
information)
Motor Protection
SIPROTEC 7SK80 Advisory V4.77, March 2018 (click for more
information)
Voltage and Frequency Protection
No security updates in the past month Advisory Mitigations and workarounds
available (click for more
information)
Line Differential Protection
SIPROTEC 7SD80 Advisory V4.70, May 2018 (click for more
information)
Feeder Protection
No security updates in the past month
Merging Unit
No security updates in the past month
SIPROTEC Compact – Communication Interfaces
IEC 61850 Communication module Advisory V4.30, March 2018 (click for more
information)
DNP3 TCP communication module Advisory V1.04, April 2018 (click for more
information)
June 18
Edition 1 13 June 2018
May 2018: SIPROTEC Compact Security Updates
Security Advisory SSA-203306- SIPROTEC Compact 7SD80 protection relay firmware version V4.70 released to address a vulnerability. More information can be found under: https://cert-
portal.siemens.com/productcert/pdf/ssa-203306.pdf
Security Advisory SSA-547990- SIPROTEC Compact 7SD80 protection relay removed from the list of affected products. More information can be found under: https://cert-
portal.siemens.com/productcert/pdf/ssa-203306.pdf
April 2018: SIPROTEC Compact Security Updates
See here for more information.
March 2018: SIPROTEC Compact Security Updates
Security Advisories SSA-203306 and SSA-845879- EN100 E+/O+ IEC 61850 Communication Module firmware version V4.30 released to address multiple vulnerabilities. More information can be found under:
https://cert-portal.siemens.com/productcert/pdf/ssa-203306.pdf and https://cert-portal.siemens.com/productcert/pdf/ssa-845879.pdf- SIPROTEC Compact protection relay firmware are affected with a vulnerability. SIPROTEC Compact 7SJ80 and 7SK80 protection relay firmware version V4.77
released to address the vulnerability. More information, including mitigations and workarounds for relays with pending firmware updates are can be foundunder: https://cert-portal.siemens.com/productcert/pdf/ssa-203306.pdf
-
June 2016: Security-relevant updates in SIPROTEC 7SJ80
Security Advisory SSA-574990- Firmware version: V4.76
“Information Disclosure” vulnerabilities have been addressed.More information can be found under: https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-547990.pdf
Cyber Security - Product Updates
June 2018 14 Edition 1
SIPROTEC SOFTWARESECURITY UPDATE OVERVIEW
Jan-18 Feb-18Mar-18 Apr-18 May-18
Jun-18 Jul-18 Aug-18 Sep-18 Oct-18 Nov-18 Dec-18Most recent softwareversion with security-relevant update
DIGSI 5 Update
Advisory
V7.80, June 2018. Click here for
details on security-relevant
updates.
DIGSI 4 Advisory Advisory V4.92, Mar 2018. Click here for
details on security-relevant updates
IEC 61850 System Configurator Advisory V5.80, June 2018. Click here for
more details on security-relevant
updates.
SIGRA V4.58, July 2016. Click here for
more details on security-relevant
updates.
June 2018: DIGSI 5 Security Updates
In June 2018 we released the version DIGSI 5 V7.80 with the following security-relevant updates.
Security-relevant Features- Users can log in to SIPROTEC 5 device over DIGSI 5 with their centrally managed username and password when role-based access control (RBAC) with central user
management is activated in the device (new feature in SIPROTEC 5 firmware version V7.80.) Once logged in to the device, users are allowed to perform only thoseoperations over DIGSI 5 that are authorized for the role(s) they have been assigned – unauthorized operations are denied by the device
- Configuration of RBAC settings and restricted Ethernet access settings for SIPROTEC 5 devices with firmware V7.80
Security Advisory SSA-159860DIGSI 5 software version V7.80 addresses a security vulnerability. More information can be found under: https://cert-portal.siemens.com/productcert/pdf/ssa-159860.pdf
June 18
Edition 1 15 June 2018
June 2018: IEC 61850 System Configurator Security Updates
Security Advisory SSA-159860IEC 61850 System Configurator software version V5.80 addresses a security vulnerability. More information can be found under: https://cert-portal.siemens.com/productcert/pdf/ssa-159860.pdf
June 2018: DIGSI 4 Security Updates
Security Advisory SSA-159860- All DIGSI 4 versions are affected with a security vulnerability, for which we are providing workarounds until we release a fix. More information can be found
under: https://cert-portal.siemens.com/productcert/pdf/ssa-159860.pdf
March 2018: DIGSI 4 Security Updates
Security Advisory SSA-203306- DIGSI 4 software version V4.92 released to address multiple vulnerabilities. More information can be found under: https://cert-
portal.siemens.com/productcert/pdf/ssa-203306.pdf
August 2017: Security-relevant updates in DIGSI 5
In August 2017 we released the version DIGSI 5 V7.50 with the following security-relevant updates.
Security-relevant Features- System-local logging of security-relevant DIGSI 5 engineering events- Configuration of new central logging functionality for security-relevant events on SIPROTEC 5 devices (Syslog)
Third-party Software Related Updates- Compatibility with Microsoft Windows 10 operating system
October 2016: Security-relevant updates in IEC 61850 System Configurator
In October 2016 we released the version IEC 61850 System Configurator V5.30 with the following security-relevant updates.
Security-relevant Features- Digitally signed installation software
Cyber Security - Product Updates
June 2018 16 Edition 1
Third-party Software Related Updates- IEC 61850 System Configurator has been designed especially for the following operating systems:
o Microsoft Windows 8.1 Professional and Enterprise 32- and 64-bito Microsoft Windows 7 Ultimate/Enterprise and Professional 32- and 64-bit with Service Pack 1o Microsoft Windows Server 2012 R2 64-bit with Service Pack 1 as workstation computero VMWare support for the following operating systems – Microsoft Windows 7 Ultimate/Enterprise and Professional 32- and 64-bit with Service Pack 1,
Microsoft Windows 8.1 64-Bit
July 2016: Security-relevant updates in DIGSI 5
In July 2016 we released the version DIGSI 5 V7.30 with the following security-relevant updates.
Security-relevant Features- Digitally signed installation software
Third-party Software Related Updates- DIGSI 5 has been designed especially for the following operating systems:
o Microsoft Windows 8.1 Enterprise 32- and 64-bito Microsoft Windows 7 Ultimate/Enterprise and Professional 32- and 64-bit with Service Pack 1o Microsoft Windows Server 2012 R2 64-bit with Service Pack 1 as workstation computero VMWare support for the following operating systems – Microsoft Windows 7 Ultimate/Enterprise and Professional 32- and 64-bit with Service Pack 1,
Microsoft Windows 8.1 64-Bit
July 2016: Security-relevant updates in SIGRA
In July 2016 we released the version SIGRA V4.58 with the following security-relevant updates.
Security-relevant Features- Digitally signed installation software
Third-party Software Related Updates- SIGRA has been designed especially for the following operating systems:
o Microsoft Windows 8.1 Enterprise 32- and 64-bito Microsoft Windows 7 Ultimate/Enterprise and Professional 32- and 64-bit with Service Pack 1o Microsoft Windows Server 2008 R2 64-bit as a workstation computero VMWare support for the following operating systems – Microsoft Windows 7 Ultimate/Enterprise and Professional 32- and 64-bit with Service Pack 1
June 18
Edition 1 17 June 2018
Cyber Security - Product Updates
June 2018 18 Edition 1
SICAM SUBSTATIONAUTOMATION
SECURITY UPDATE OVERVIEW
Jan-18
Feb-18
Mar-18
Apr-18
May-18
Jun-18 Jul-18 Aug-18
Sep-18
Oct-18
Nov-18
Dec-18
Most recentsoftware/firmwareversion with securityupdate
Substation Automation
SICAM PAS Update
Advisory
V8.11, June 2018. Click here for
more details on security updates
HMI and Archiving
SICAM SCC Advisory V9.001 May 2017. Click here for
more details on security updates
Short-Circuit Indicator
SICAM FCG – Fault Collector Gateway V1.00, June 2016. Click here for
more details on security updates
SICAM FSI – Fault Sensor Indicator V1.00, June 2016. Click here for
more details on security updates
June 2018: Security related updates in SICAM PAS/PQS
In June 2018 we released the version SICAM PAS/PQS V8.11 with the following security updates.
Security-relevant features- All security event logs e.g. User login, log off, password change etc. can be additionally logged into a central Syslog server using the Syslog UDP protocol- Syslog parameters IP address, UDP port can be configured using SICAM PAS – User Administration- Secure Communication Add-on V8.11 updates:
o TLS V1.2 support for secure IEC 60870-5-104 and DNP3i master and slave communication protocols as per IEC 62351 requirementso Updated secure authentication support for DNP3i master and slave communication protocols to SAv5 as per IEEE 1815-2012. Support for SAv5
authentication statistics counters is included. Backward compatibility to SAv4 is supported.
June 18
Edition 1 19 June 2018
Security Advisory SSA-159860- SICAM PAS/PQS V8.11 addresses a security vulnerability. More information can be found under: https://cert-portal.siemens.com/productcert/pdf/ssa-
159860.pdf
June 2018: SICAM SCC Security Updates
Security Advisory SSA-159860- All SICAM SCC versions are affected with a security vulnerability, for which we are providing workarounds until we release a fix. More information can be
found under: https://cert-portal.siemens.com/productcert/pdf/ssa-159860.pdf
November 2017: Security related updates in SICAM PAS/PQS
In November 2017 we released the version SICAM PAS/PQS V8.10 with the following security updates.
Third-party Software Related Updates- Added support for the following operating systems: Windows 10 IoT Enterprise LTSB (64-bit), Windows Server 2016 with Desktop Experience (64-bit)- OpenSSL version updated to 1.0.2k to address multiple reported vulnerabilities (see here⇓ OpenSSL news)
June 2017: Security related updates in SICAM PAS/PQS
In June 2017 we released the version SICAM PAS/PQS V8.09 with the following security updates.
Security Advisory SSA-946325- An existing security advisory SSA-946325 has been updated.
More information can be found under: https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-946325.pdf
Third-party Software Related Updates- NTP version updated to V4.2.8p10 to address multiple reported vulnerabilities (see here⇓ NTP notices)
May 2017: Security related updates in SICAM SCC
In May 2017 we released the version SICAM SCC V9.01, based on SIMATIC WinCC 7.4 SP1 with the following security related updates.
Security-relevant features- SIMATIC WinCC 7.4 SP1 fixes vulnerabilities as reported on our ProductCERT website under advisories: SSA-701708, SSA-156872
Cyber Security - Product Updates
June 2018 20 Edition 1
- Support for the following operating systems: Windows Server 2016 64-bit (with SIMATIC WinCC 7.4 SP1 as basis), Windows 10 Professional & Enterprise 64-bit,Windows Server 2008 R2 SP1 64-bit, Windows Server 2012 R2 64-bit, Windows 8.1 Professional / Enterprise 32-bit and 64-bit, Windows 7 Professional / Ultimate /Enterprise SP1 32-bit and 64-bit
- Virtualization with VMWare ESXi Server V6.5 (with SIMATIC WinCC 7.4 SP1 as basis)
Third-party Software Related Updates- NTP version updated to V4.2.8p10 to address multiple reported vulnerabilities (see here⇓ NTP notices)
February 2017: Security related updates in SICAM SCC
In February 2017 we released the version SICAM SCC V9.00 with the following security related updates.
Security-relevant features- Support for the following operating systems: Windows 10 Professional & Enterprise 64-bit (only with SIMATIC WinCC 7.4 as basis), Windows Server 2008 R2 SP1
64-bit, Windows Server 2012 R2 64-bit, Windows 8.1 Professional / Enterprise 32-bit and 64-bit, Windows 7 Professional / Ultimate / Enterprise SP1 32-bit and 64-bit
- Digitally signed installation files now also available for hotfixes
November 2016: Security related updates in SICAM PAS/PQS
In November 2016 we released the version SICAM PAS/PQS V8.08 with the following security updates.
Security-relevant features- Three additional roles (according IEC62351-8) introduced in SICAM PAS/PQS - User Administration
o RBAC managero Security administratoro Security auditor
- Support to export security logs
Security Advisories SSA-946325 and SSA-444217- SSA-946325: Multiple vulnerabilities have been addressed n a new security advisory SSA-946325.
More information can be found under: https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-946325.pdf
- SSA-444217: An existing security advisory SSA-444217 has been updated. More information can be found under: https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-444217.pdf
June 18
Edition 1 21 June 2018
Third-party Software Related Updates- OpenSSL version updated to 1.0.2j in the SICAM PAS Secure Communication Addon to address multiple reported vulnerabilities (see here⇓ OpenSSL news)- 7-Zip version updated to V16.00 to address multiple reported vulnerabilities (see here⇓ more information)- NTP version updated to V4.2.8p7 to address multiple reported vulnerabilities (see here⇓ NTP notices)
June 2016: Security related updates to SICAM FCG
In June 2016 we released the SICAM FCG – “Fault Collector Gateway” - with firmware version V1.00 with the following security features.
Security-relevant features- The SICAM FCG’s short-range radio communication interface supports the device parameterization and the transmission of messages and measured values of
SICAM FSI devices. The information is transmitted in telegrams in a secured way.- The SICAM FCG communication to the control center can be executed based on the IEC 60870-5-104 via internet protocol security (IPSec) tunnel and GSM.- IPSec capabilities:
o Pre-shared keyo IKE v1, v2o Perfect Forward Secrecyo Symmetric encryption with AES-256, AES-192, AES-128, 3DES, DESo Authentication with HMAC-SHA1, HMAC-MD5o IPSec tunnel supervision by ping
June 2016: Security related updates to SICAM FSI
In June 2016 we released the SICAM FSI – “Fault Sensor Indicator” - with firmware version V1.00 with the following security features.
Security-relevant featuresThe SICAM FSI variant 6MD2314-1AB11 transfers earth fault and short circuit related data to a gateway (SICAM FCG) via a secured short-range radio connection.
Cyber Security - Product Updates
June 2018 22 Edition 1
SICAM A8000 / SICAM RTUsSECURITY UPDATE OVERVIEW
Jan-18
Feb-18
Mar-18
Apr-18
May-18
Jun-18
Jul-18 Aug-18
Sep-18
Oct-18 Nov-18
Dec-18
Most recentsoftware/firmwareversion with securityupdate
SICAM A8000 CP-8000/21/22 V12, June 2017. Click here for
more details on security updates
SICAM A8000 CP-8050 V01, Jan 2017. Click here for
more details on security updates
SICAM RTUs - Engineering Software
SICAM AK3 Revision 0401, October 2017.
Click here for more details on
security updates
SICAM RTUs - Communication Interfaces
SM-2558 Ethernet-Interface ETA4 Firmware Revision 08,
October 2016. Click here for more
details.
October 2017: Security related updates in SICAM AK3 RTU
In October2017 we released the firmware revision 0401 of the SICAM AK3 RTU with the following security updates.
Security-relevant features- Firmware signature is implemented- Transport-layer security for IEC60870-5-104 communication (master and slave) based on IEC 60870-5-7, IEC 62351-5 and IEC 62351-3 now supported by ETA-4
Ethernet Interface firmware revision 09:o up to 4 parallel IEC 104 connections securedo user certificates are supported
- Support of IPSEC IKEv2 and additional cipher suites:o AES 192, AES 256o SHA384o DH Group 5 and 14
June 18
Edition 1 23 June 2018
- Following Ciphers are removed from auto-configuration: 3DES, MD5, DH Group 1- SNMPv3 Enhancements
o AES128 and SHA1/SHA2 support (SHA1, SHA2_224, SHA2_256, SHA2_384, SHA2_512)o IP address restricted SNMP accesso Retrieval of firmware revision via SNMP with SICAM RTUs SNMP MIB V04.00.00 for asset monitoring
- Security event logging enhancementso Security logbook - All Syslog Events are written to a security logbook. The security logbook can be downloaded via SICAM Toolbox IIo Syslog Prefix Text - A 32 Byte prefix text can be added to the every Syslog messageo Syslog messages can be sent to a 2nd Syslog Server over the ETA-4 Ethernet interface firmware revision 09
Third-party Software Related Updates- OpenSSL version updated to 1.0.2k to address multiple reported vulnerabilities (see here⇓ OpenSSL news)
June 2017: Security related updates in SICAM A8000 CP-8000/21/22 RTUs
In June 2017 we released the firmware version V12 of the SICAM A8000 CP-8000/21/22 products with the following security updates.
Security-relevant features- Transport-layer security for IEC60870-5-104 communication (master and slave) based on IEC 60870-5-7, IEC 62351-5 and IEC 62351-3 now supported by ET84
Ethernet Interface firmware revision 05:o up to 4 parallel IEC 104 connections securedo user certificates are supported
- Firmware signature check is activated. Only firmware with valid signature are loaded- SNMPv3 enhancements
o included authentication protocol: AES128o included privacy protocols: SHA1, SHA2_224, SHA2_256, SHA2_384, SHA2_512o Retrieve firmware revision with SICAM RTUs SNMP MIB V04.00.00
- Security event loggingo New Syslog events logged by the inbuilt IEC 104 Whitelist Filter of the ET84 Ethernet interface firmware revision 05
ƒ "Data message blocked by system internal WhiteList Filter" – logged upon detection of malformed IEC 104 packetsƒ "Data message in transmit direction blocked by activated WhiteList Filter" - Only defined telegrams (selected by type identification and cause of
transmission) will be sent in transmit direction to the remote network with the WhiteList Filter enabled. All undefined telegrams are blocked.o All Syslog Events are also written to a security logbook. This can be viewed and downloaded via SICAM WEBo A user-defined 32 Byte prefix text can be added to the every Syslog message
- IPSec enhancementso Remote ID can now be left empty (then the IP address will be used) while the Local ID is parameterized to use FQDN (e.g. "CMIC")o Sub network mask for local IP V4 address can have the value 255.255.255.255 to protect a single host network when using IPSec
Cyber Security - Product Updates
June 2018 24 Edition 1
Third-party Software Related Updates- OpenSSL version updated to 1.0.2k to address multiple reported vulnerabilities (see here⇓ OpenSSL news)
January 2017: Security related updates in SICAM A8000 CP-8050 RTUs
In January 2017 we released the firmware version V1 of our new RTU product SICAM A8000 CP-8050 with the following security updates.
Security-relevant features- Role-based access control (RBAC) with support for IEC 62351-8 standard roles in device and in the engineering software SICAM TOOLBOX II- Support for both device-local user accounts and RADIUS-based central user management- Secured password storage- Digitally signed firmware- Secure factory reset of the device- Configurable SD card usage- Onboard firewall with rule generation and editing options- Onboard IPSec features for end-to-site communication security – up to 8 IPSec VPN tunnels supported- Security event logging both locally on device and via Syslog protocol – up to 2 configurable Syslog servers supported- Enable/disable the “Remote operations” feature with process data messages- BDEW whitepaper security conformance statement available
November 2016: Security related updates in SICAM A8000 CP-8000/21/22 RTUs
In November 2016 we released the firmware version V11 of the SICAM A8000 CP-8000/21/22 products with the following security updates.
Security-relevant features- TLS 1.2 support for HTTPS- IPSec enhancements:
o Support for SHA384, DH groups 5 and 14o Ciphers removed from auto-configuration: 3DES, MD5, DH Group 1
- Digitally signed firmware- Support for backup RADIUS server- Syslog messages can be sent to a second Syslog Server- Enable/disable the “Remote operations” feature with process data messages
Third-party Software Related Updates- Upgrade to SQLite 3.13.0 to address a reported vulnerability (see here⇓ more information)
June 18
Edition 1 25 June 2018
- Upgrade to Expat XML Parser 2.2.0 to address multiple reported vulnerabilities (see here⇓ Expat news)
October 2016: Security related updates to SM-2558 Ethernet Interface
Security Advisory SSA-296574"Denial of Service" vulnerability has been addressed in the ETA4 firmware Revision 08 for IEC 60870-5-104 communication.More information can be found under: https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-296574.pdf
Cyber Security - Product Updates
June 2018 26 Edition 1
SICAM POWER QUALITY &MEASUREMENTS
SECURITY UPDATE OVERVIEW
Jan-18
Feb-18
Mar-18
Apr-18
May-18
Jun-18 Jul-18 Aug-18
Sep-18
Oct-18
Nov-18
Dec-18
Most recentsoftware/firmware withsecurity update
Power Meter
No security updates in the past month
Digital Measurement and Transducer
No security updates in the past month
Power Quality Recorder
SICAM Q100 Update V2.00, April 2018. Click here for
more details on security updates
SICAM Q200 Update V2.20, April 2018. Click here for
more details on security updates
Power Quality Applications
No security updates in the past month
System Software
SICAM PQS V8.09, June 2017. Click here for
more details on security updates
SICAM PQ Analyzer Advisory V3.11, June 2018. Click here for
more details on security updates
SIGUARD PDP V5.20, September 2017. Click
here for more details on security
updates
June 18
Edition 1 27 June 2018
June 2018: Security related updates to SICAM PQ AnalyzerSecurity Advisory SSA-159860SICAM PAS/PQS V3.11 addresses a security vulnerability. More information can be found under: https://cert-portal.siemens.com/productcert/pdf/ssa-159860.pdf
April 2018: Security related updates to SICAM Q200
In April 2018 we released the SICAM Q200 – “Multifunctional Power Recorder and Power Analyzer” - with firmware version V2.20 with the following security features.
Security-relevant features- New central logging functionality for security-relevant events and alarms (Syslog support): All security-relevant events and alarms that are recorded in the device-
internal security log can also be simultaneously transferred to central syslog servers, in order to facilitate substation-wide aggregation of all security-relevantevents in adherence to standards and guidelines such as IEEE 1686, IEC 62443 and BDEW Whitepaper
Security-relevant features- OpenSSL version updated to 1.0.2n to address multiple reported vulnerabilities (see here⇓ OpenSSL news)
April 2018: Security related updates to SICAM Q100
In April 2018 we released the SICAM Q100 – “Power Quality Recorder” - with firmware version V2.00 with the following security features.
Security-relevant features- Digitally signed firmware- Logging of security-relevant events in the password-protected device-internal audit log in adherence to standards and guidelines such as IEEE 1686, IEC 62443 and
BDEW Whitepaper
November 2017: Security related updates to SICAM Q200
In November 2017 we released the SICAM Q200 – “Multifunctional Power Recorder and Power Analyzer” - with firmware version V2.10 with the following securityfeatures.
Security-relevant features- HTTPS-secured web interface with TLS 1.2 and TLS 1.1 support- Digitally signed firmware- Logging of security-relevant events in the password-protected device-internal audit log
November 2017: Security related updates in SICAM PQ Analyzer
In November 2017 we released the version SICAM PQ Analyzer V3.10 with the following security updates.
Cyber Security - Product Updates
June 2018 28 Edition 1
Security-relevant updates- Added support for the following operating systems: Windows 10 IoT Enterprise LTSB (64-bit), Windows Server 2016 with Desktop Experience (64-bit)
October 2017: Security related features in SIGUARD PDP
In October 2017 we released SIGUARD PDP – Phasor Data Processor for Wide Area Monitoring - Version V5.20.
Security-relevant updates- Added support for Microsoft Windows 10 Pro (64 bit) operating system for SIGUARD PDP UI and Engineer workstations- Information and recommendations on SIGUARD PDP system hardening and administration in the accompanying Administrator Guide
June 2017: Security related updates in SICAM PQ Analyzer
In June 2017 we released the version SICAM PQ Analyzer V3.09 with the following security updates.
Security-relevant features- Secure authentication: User credentials are checked while accessing Archive with SICAM PQ Analyzer or SICAM Collector
Third-party Software Related Updates- NTP version updated to V4.2.8p10 to address multiple reported vulnerabilities (see here⇓ NTP notices)
November 2016: Security related updates in SICAM PQ AnalyzerIn November 2016 we released the version SICAM PQ Analyzer V3.08 with the following security updates.
Security-relevant features- Syslog Server Support
o User activities on SICAM PQS archives can be logged into Syslog server by configuring Syslog server information in SICAM PQS – User Administrationo User activities on SICAM PQ Collector Archives can be logged into Syslog server by configuring Syslog server information in SICAM PQ Collectoro All user activities on PQS Archive or SICAM PQ Collector archives are logged in Event logs by default
- Three additional roles (according to IEC62351-8) are introduced:o RBAC managero Security administratoro Security auditor
June 18
Edition 1 29 June 2018
Third-party Software Related Updates- Siemens Automation License Manager (ALM) updated to version V5.3 SP3 Update 1 to address multiple reported vulnerabilities (see here⇓ advisory)- 7-Zip version updated to V16.00 to address multiple reported vulnerabilities (see here⇓ more information)
September 2016: Security related features in SIGUARD PDP
In September 2016 we released SIGUARD PDP – Phasor Data Processor for Wide Area Monitoring - Version V5.10 with the following security features:
Security-relevant features- Cyber Diode (spontaneous start of communication to partner-PDC)- Role-based access control with Windows user administration and NTFS security features- Securing the data connections using IPSec between different SIGUARD PDP servers/workstations, and between the PMU and the SIGUARD PDP Server- Information and recommendations on SIGUARD PDP system hardening and administration in the accompanying Administrator Guide- Support for Microsoft Windows 8.1 and Windows 2012 R2 operating systems
August 2016: Security related updates to SICAM Q200
In August 2016 we released the SICAM Q200 – “Multifunctional Power Recorder and Power Analyzer” - with firmware version V1.00 with the following securityfeatures.
Security-relevant features- Role-based access control- SNMPv3 with support for User-based Security Model (USM) as per RFC 3414.
ACCESSORIESSECURITY UPDATE OVERVIEW
Jan-18
Feb-18
Mar-18
Apr-18
May-18
Jun-18
Jul-18 Aug-18
Sep-18
Oct-18
Nov-18
Dec-18
Most recentsoftware/firmware withsecurity update
No security updates in the past month
SIPROTEC 5 ApplicationError! Reference source not found.
Unrestricted
Published by and copyright © 2018:
Siemens AGEnergy Management DivisionHumboldtstr. 5990459 Nuremberg, Germanywww.siemens.com/siprotecwww.siemens.com/sicam
For more information, please contact your SiemensPartner or our Customer Support Center.
Phone: +49 180 524 70 00Fax: +49 180 524 24 71(Charges depending on the provider)
Email: support.energy@siemens.com
All rights reserved.Trademarks mentioned in this document are theproperty of Siemens AG, its affiliates, or their respectiveowners.Subject to change without prior notice.
The information in this document contains generaldescriptions of the technical options available, whichmay not apply in all cases. The required technicaloptions should therefore be specified in the contract.
For all products using security features of OpenSSLthe following shall apply:
This product includes software developed by theOpenSSL Project for use in the OpenSSL Toolkit(www.openssl.org).
This product includes cryptographic software writtenby Eric Young (eay@cryptsoft.com).