Cyber Security – Product Update Report · IEC 61850 System Configurator V5.80 with security-relevant updates ⇓click ... Windows-based Siemens products, ... Motor Protection SIPROTEC

SIPROTEC and SICAM Cyber Security

Cyber Security – Product Update ReportJune 2018

https://www.siemens.com/gridsecurity

June 18Cyber Security - Product Update Report

June 2018 2 Edition 1

SIPROTEC & SICAM Product Security UpdateReportJune 18

Dear customer,

Thank you for choosing our products to address your energy automation needs. This report provides anoverview on the latest security-related product updates released by Siemens for the SIPROTEC and SICAMrange of products, spanning:

Protection, Bay Controller and Fault Recorder

SIPROTEC 4

SIPROTEC 5

SIPROTEC Compact

Associated engineering and evaluation software

Substation Automation, RTUs and Power Quality

SICAM Substation Automation

SICAM A8000 / SICAM RTUs

SICAM Power Quality and Measurements

SICAM Accessories

Should you have any questions or need further information in this regard, please contact your SiemensPartner or our Customer Support Center at [email protected].

Reports ArchiveYou can retrieve the security update report for the year 2017 here, and for 2016 here.

http://www.industry.siemens.com/datapool/industry/smartgrid/PRO_Security_Updates/SIPROTEC_SICAM_security_update_report_2017.pdf

http://www.industry.siemens.com/datapool/industry/smartgrid/PRO_Security_Updates/SIPROTEC_SICAM_security_update_report_2016.pdf

June 18

Edition 1 3 June 2018

Security Updates for SIPROTEC and SICAM Products

Important Updates

Product UpdatesJune 2018: SICAM PAS/PQS V8.11 with security-relevant updates⇓ click here for details.

SICAM PQ Analyzer V3.11 with security-relevant updates ⇓ click here for details.

DIGSI 5 V7.80 with security-relevant updates⇓ click here for details.

IEC 61850 System Configurator V5.80 with security-relevant updates⇓ click here fordetails.

Security AdvisoriesJune 2018: New security advisory SSA-159860 released for DIGSI 4, DIGSI 5, IEC 61850 System

Configurator, SICAM PAS/PQS, SICAM PQ Analyzer and SICAM SCC⇓ Use theproduct-related links above for details. Click here for DIGSI 4 and here for SICAM SCC.

Microsoft Windows Security Patch Compatibility ReportsThe Microsoft Windows Security patch compatibility reports for the SIPROTEC and SICAM family of PC-basedsoftware products can be found under Downloads tab⇓ Software⇓ Security Patch Management at this link:

https://w3.siemens.com/smartgrid/global/en/products-systems-solutions/cyber-security/Pages/products.aspx

Information related to Security Patch Management PracticesIn order to maximize the operational security and availability of critical systems, Siemens stronglyrecommends customers to upgrade to supported versions of Microsoft Windows operating systems andWindows-based Siemens products, and to systematically practice security patch management. Siemensrecommends customers to sign up for its patch management and system maintenance services, which enablecustomers to receive tailored security patch management recommendations with minimized delays.

https://w3.siemens.com/smartgrid/global/en/products-systems-solutions/cyber-security/Pages/products.aspx

Cyber Security - Product Updates


SIPROTEC 4SECURITY UPDATE OVERVIEW

Jan-18 Feb-18 Mar-18 Apr-18 May-18 Jun-18 Jul-18 Aug-18 Sep-18 Oct-18 Nov-18 Dec-18 Most recent firmwareversion with securityupdate

Overcurrent Protection

SIPROTEC 7SJ66 Advisory V4.30, March 2018 (click for more

information)

Distance Protection

No security updates in the past month Advisory Mitigations and workarounds

available (click for more

information)

Line Differential Protection



information)

Transformer Protection



information)

Busbar Protection



information)

Generator Protection



information)

June 18




High Speed Busbar Transfer



information)

Bay Controller



information)

V/f-Relays



information)

Transient Earth Fault Relay



information)

Breaker Failure Protection



information)

Breaker Management



information)





SIPROTEC 4 – Communication Interfaces

IEC 61850 communication module Advisory V4.30, March 2018 (click for more

information)

DNP3 TCP communication module Advisory V1.04, April 2018 (click for more

information)

IEC 104 communication module Advisory Mitigations and workarounds


information)

PROFINET IO communication module Advisory Mitigations and workarounds


information)

MODBUS TCP communication module Advisory Mitigations and workarounds


information)

Communication module included in SIPROTEC

Merging Unit 6MU80

V1.02.02, July 2017 (click for more

information)

April 2018: SIPROTEC 4 Security Updates

Existing Security Advisories SSA-203306 and SSA-845879 UpdatedEN100 E+/O+ DNP3 TCP Communication Module firmware version V1.04 released to address multiple vulnerabilities. More information can be found under:https://cert-portal.siemens.com/productcert/pdf/ssa-203306.pdf and https://cert-portal.siemens.com/productcert/pdf/ssa-845879.pdf

March 2018: SIPROTEC 4 Security Updates

Security Advisories SSA-203306 and SSA-845879

https://cert-portal.siemens.com/productcert/pdf/ssa-203306.pdf


June 18


- EN100 E+/O+ IEC 61850 Communication Module firmware version V4.30 released to address multiple vulnerabilities. More information, including mitigationsand workarounds for EN100 module variants with pending firmware updates are can be found under: https://cert-portal.siemens.com/productcert/pdf/ssa-203306.pdf and https://cert-portal.siemens.com/productcert/pdf/ssa-845879.pdf

- SIPROTEC 4 protection relay firmware are affected with a vulnerability. SIPROETC 7SJ66 firmware version V4.30 released to address the vulnerability. Moreinformation, including mitigations and workarounds for relays with pending firmware updates are can be found under: https://cert-portal.siemens.com/productcert/pdf/ssa-203306.pdf

October 2017: Security Updates for Products of the SIPROTEC 4 and SIPROTEC Compact Families

Security Advisories- SSA-323211: An existing security advisory SSA-323211 has been updated to correct the list of vulnerabilities affecting the SIPROTEC 7SJ66 device.

More information can be found under: https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-323211.pdfSeptember 2017: Security Updates for Products of the SIPROTEC 4 and SIPROTEC Compact Families

Security Advisories- SSA-323211: An existing security advisory SSA-323211 has been updated to inform about the availability of firmware update V1.11.0 to the MODBUS TCP

communication protocol variant of our EN100 Ethernet module.More information can be found under: https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-323211.pdf

July 2017: Security Updates for Products of the SIPROTEC 4 and SIPROTEC Compact Families

Security Advisory SSA-323211- EN100 Ethernet Communication Module DNP3 TCP firmware version : V1.03- EN100 Ethernet Communication Module IEC 104 firmware version : V1.21- EN100 Ethernet Communication Module PROFINET IO firmware version : V1.04.01- EN100 Ethernet Communication Module MODBUS TCP firmware version : V1.10.01- EN100 Ethernet Communication Module included in SIPROTEC Merging Unit 6MU80: V1.02.02- SIPROTEC 7SJ66 firmware version: V4.23

Multiple vulnerabilities have been addressed.More information can be found under: https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-323211.pdf

September 2016: IEC 61850 Communication Module Security Update

Security Advisory SSA-630413- Firmware version: V4.29






https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-323211.pdf





Multiple vulnerabilities have been addressed.More information can be found under: https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-630413.pdf


June 18



Jan-18

Feb-18

Mar-18

Apr-18

May-18

Jun-18

Jul-18 Aug-18

Sep-18

Oct-18

Nov-18

Dec-18

Most recent firmwareversion with security-relevant update


SIPROTEC 7SJ82, 7SJ85, 7SJ86 V7.50, Aug 2017. Click here for

details on security-relevant updates.

Distance Protection

SIPROTEC 7SA82, 7SA86, 7SA87 V7.50, Aug 2017. Click here for



SIPROTEC 7SD82, 7SD86, 7SD87 V7.50, Aug 2017. Click here for


Line Differential and Distance Protection

SIPROTEC 7SL82, 7SL86, 7SL87 V7.50, Aug 2017. Click here for


Breaker Management

No security updates in the past month

Transformer Protection

SIPROTEC 7UT82, 7UT85, 7UT86, 7UT87 V7.50, Aug 2017. Click here for


Motor Protection

SIPROTEC 7SK82, 7SK85 V7.50, Aug 2017. Click here for


Generator Protection

SIPROTEC 7UM85 V7.50, Aug 2017. Click here for




Jan-18

Feb-18

Mar-18

Apr-18

May-18

Jun-18

Jul-18 Aug-18

Sep-18

Oct-18

Nov-18

Dec-18

Most recent firmwareversion with security-relevant update


Busbar Protection

SIPROTEC 7SS85 V7.50, Aug 2017. Click here for


Bay Controller

SIPROTEC 6MD85, 6MD86, 6MD89 V7.50, Aug 2017. Click here for


Fault Recorder

SIPROTEC 7KE85 V7.50, Aug 2017. Click here for


SIPROTEC 5 – Communication Interfaces


August 2017: Security-relevant updates in SIPROTEC 5 Firmware V7.50, covering select device types

In August 2017 we released the version V7.50 for select SIPROTEC 5 device types (see table above) with the following security-relevant updates.

Security-relevant Features- New central logging functionality for security-relevant events and alarms (Syslog support): All security-relevant events and alarms that are recorded in the device-

internal security log can also be simultaneously transferred to central syslog servers, in order to facilitate substation-wide aggregation of all security-relevantevents in keeping with requirements from standards and guidelines such as IEEE 1686, IEC 62443 and BDEW Whitepaper

Third-party Software Related Updates- Secure communication between DIGSI 5 and SIPROTEC 5 devices is handled on the device side with the OpenSSL component (https://www.openssl.org/).

The OpenSSL version has been updated to 1.0.2K to address multiple reported vulnerabilities: CVE-2017-3731, CVE-2017-3730, CVE-2017-3732, CVE-2016-7055and others fixed by preceding OpenSSL versions.

June 18


July 2016: Security-relevant updates in SIPROTEC 5 Firmware V7.30, covering select device types

In July 2016 we released the version V7.30 for select SIPROTEC 5 device types (see table above) with the following security-relevant updates.

Third-party Software Related Updates- Applied security fix to Wind River VXWorks to address CVE-2015-3963. Vendor Note: The VxWorks software generates predictable TCP initial sequence numbers

that may allow an attacker to predict the TCP initial sequence numbers from previous values, which may allow an attacker to spoof or disrupt TCP connections.- Secure communication between DIGSI 5 and SIPROTEC 5 devices is handled on the device side with the OpenSSL component (https://www.openssl.org/).

The OpenSSL version has been updated to 1.0.2H to address multiple reported vulnerabilities – CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108,CVE-2016-2109, CVE-2016-2176, CVE-2016-0703, CVE-2016-0704 and others fixed by preceding OpenSSL versions.



SIPROTEC COMPACTSECURITY UPDATE OVERVIEW

Jan-18 Feb-18Mar-18 Apr-18 May-18

Jun-18 Jul-18 Aug-18 Sep-18 Oct-18 Nov-18 Dec-18Most recent firmwareversion with securityupdate


SIPROTEC 7SJ80 Advisory V4.77, March 2018 (click for more

information)

Motor Protection

SIPROTEC 7SK80 Advisory V4.77, March 2018 (click for more

information)

Voltage and Frequency Protection



information)


SIPROTEC 7SD80 Advisory V4.70, May 2018 (click for more

information)

Feeder Protection


Merging Unit


SIPROTEC Compact – Communication Interfaces

IEC 61850 Communication module Advisory V4.30, March 2018 (click for more

information)

DNP3 TCP communication module Advisory V1.04, April 2018 (click for more

information)

June 18


May 2018: SIPROTEC Compact Security Updates

Security Advisory SSA-203306- SIPROTEC Compact 7SD80 protection relay firmware version V4.70 released to address a vulnerability. More information can be found under: https://cert-

portal.siemens.com/productcert/pdf/ssa-203306.pdf

Security Advisory SSA-547990- SIPROTEC Compact 7SD80 protection relay removed from the list of affected products. More information can be found under: https://cert-


April 2018: SIPROTEC Compact Security Updates

See here for more information.

March 2018: SIPROTEC Compact Security Updates

Security Advisories SSA-203306 and SSA-845879- EN100 E+/O+ IEC 61850 Communication Module firmware version V4.30 released to address multiple vulnerabilities. More information can be found under:

https://cert-portal.siemens.com/productcert/pdf/ssa-203306.pdf and https://cert-portal.siemens.com/productcert/pdf/ssa-845879.pdf- SIPROTEC Compact protection relay firmware are affected with a vulnerability. SIPROTEC Compact 7SJ80 and 7SK80 protection relay firmware version V4.77

released to address the vulnerability. More information, including mitigations and workarounds for relays with pending firmware updates are can be foundunder: https://cert-portal.siemens.com/productcert/pdf/ssa-203306.pdf

-

June 2016: Security-relevant updates in SIPROTEC 7SJ80

Security Advisory SSA-574990- Firmware version: V4.76

“Information Disclosure” vulnerabilities have been addressed.More information can be found under: https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-547990.pdf











SIPROTEC SOFTWARESECURITY UPDATE OVERVIEW

Jan-18 Feb-18Mar-18 Apr-18 May-18

Jun-18 Jul-18 Aug-18 Sep-18 Oct-18 Nov-18 Dec-18Most recent softwareversion with security-relevant update

DIGSI 5 Update

Advisory

V7.80, June 2018. Click here for

details on security-relevant

updates.

DIGSI 4 Advisory Advisory V4.92, Mar 2018. Click here for

details on security-relevant updates

IEC 61850 System Configurator Advisory V5.80, June 2018. Click here for

more details on security-relevant

updates.

SIGRA V4.58, July 2016. Click here for

more details on security-relevant

updates.

June 2018: DIGSI 5 Security Updates

In June 2018 we released the version DIGSI 5 V7.80 with the following security-relevant updates.

Security-relevant Features- Users can log in to SIPROTEC 5 device over DIGSI 5 with their centrally managed username and password when role-based access control (RBAC) with central user

management is activated in the device (new feature in SIPROTEC 5 firmware version V7.80.) Once logged in to the device, users are allowed to perform only thoseoperations over DIGSI 5 that are authorized for the role(s) they have been assigned – unauthorized operations are denied by the device

- Configuration of RBAC settings and restricted Ethernet access settings for SIPROTEC 5 devices with firmware V7.80

Security Advisory SSA-159860DIGSI 5 software version V7.80 addresses a security vulnerability. More information can be found under: https://cert-portal.siemens.com/productcert/pdf/ssa-159860.pdf



June 18


June 2018: IEC 61850 System Configurator Security Updates

Security Advisory SSA-159860IEC 61850 System Configurator software version V5.80 addresses a security vulnerability. More information can be found under: https://cert-portal.siemens.com/productcert/pdf/ssa-159860.pdf

June 2018: DIGSI 4 Security Updates

Security Advisory SSA-159860- All DIGSI 4 versions are affected with a security vulnerability, for which we are providing workarounds until we release a fix. More information can be found

under: https://cert-portal.siemens.com/productcert/pdf/ssa-159860.pdf

March 2018: DIGSI 4 Security Updates

Security Advisory SSA-203306- DIGSI 4 software version V4.92 released to address multiple vulnerabilities. More information can be found under: https://cert-


August 2017: Security-relevant updates in DIGSI 5

In August 2017 we released the version DIGSI 5 V7.50 with the following security-relevant updates.

Security-relevant Features- System-local logging of security-relevant DIGSI 5 engineering events- Configuration of new central logging functionality for security-relevant events on SIPROTEC 5 devices (Syslog)

Third-party Software Related Updates- Compatibility with Microsoft Windows 10 operating system

October 2016: Security-relevant updates in IEC 61850 System Configurator

In October 2016 we released the version IEC 61850 System Configurator V5.30 with the following security-relevant updates.

Security-relevant Features- Digitally signed installation software








Third-party Software Related Updates- IEC 61850 System Configurator has been designed especially for the following operating systems:

o Microsoft Windows 8.1 Professional and Enterprise 32- and 64-bito Microsoft Windows 7 Ultimate/Enterprise and Professional 32- and 64-bit with Service Pack 1o Microsoft Windows Server 2012 R2 64-bit with Service Pack 1 as workstation computero VMWare support for the following operating systems – Microsoft Windows 7 Ultimate/Enterprise and Professional 32- and 64-bit with Service Pack 1,

Microsoft Windows 8.1 64-Bit

July 2016: Security-relevant updates in DIGSI 5

In July 2016 we released the version DIGSI 5 V7.30 with the following security-relevant updates.


Third-party Software Related Updates- DIGSI 5 has been designed especially for the following operating systems:

o Microsoft Windows 8.1 Enterprise 32- and 64-bito Microsoft Windows 7 Ultimate/Enterprise and Professional 32- and 64-bit with Service Pack 1o Microsoft Windows Server 2012 R2 64-bit with Service Pack 1 as workstation computero VMWare support for the following operating systems – Microsoft Windows 7 Ultimate/Enterprise and Professional 32- and 64-bit with Service Pack 1,

Microsoft Windows 8.1 64-Bit

July 2016: Security-relevant updates in SIGRA

In July 2016 we released the version SIGRA V4.58 with the following security-relevant updates.


Third-party Software Related Updates- SIGRA has been designed especially for the following operating systems:

o Microsoft Windows 8.1 Enterprise 32- and 64-bito Microsoft Windows 7 Ultimate/Enterprise and Professional 32- and 64-bit with Service Pack 1o Microsoft Windows Server 2008 R2 64-bit as a workstation computero VMWare support for the following operating systems – Microsoft Windows 7 Ultimate/Enterprise and Professional 32- and 64-bit with Service Pack 1

June 18




SICAM SUBSTATIONAUTOMATION

SECURITY UPDATE OVERVIEW

Jan-18

Feb-18

Mar-18

Apr-18

May-18

Jun-18 Jul-18 Aug-18

Sep-18

Oct-18

Nov-18

Dec-18

Most recentsoftware/firmwareversion with securityupdate

Substation Automation

SICAM PAS Update

Advisory

V8.11, June 2018. Click here for

more details on security updates

HMI and Archiving

SICAM SCC Advisory V9.001 May 2017. Click here for


Short-Circuit Indicator

SICAM FCG – Fault Collector Gateway V1.00, June 2016. Click here for


SICAM FSI – Fault Sensor Indicator V1.00, June 2016. Click here for


June 2018: Security related updates in SICAM PAS/PQS

In June 2018 we released the version SICAM PAS/PQS V8.11 with the following security updates.

Security-relevant features- All security event logs e.g. User login, log off, password change etc. can be additionally logged into a central Syslog server using the Syslog UDP protocol- Syslog parameters IP address, UDP port can be configured using SICAM PAS – User Administration- Secure Communication Add-on V8.11 updates:

o TLS V1.2 support for secure IEC 60870-5-104 and DNP3i master and slave communication protocols as per IEC 62351 requirementso Updated secure authentication support for DNP3i master and slave communication protocols to SAv5 as per IEEE 1815-2012. Support for SAv5

authentication statistics counters is included. Backward compatibility to SAv4 is supported.

http://w3.siemens.com/smartgrid/global/en/products-systems-solutions/substation-automation/substation-automation/Pages/SICAM-PAS.aspx

June 18


Security Advisory SSA-159860- SICAM PAS/PQS V8.11 addresses a security vulnerability. More information can be found under: https://cert-portal.siemens.com/productcert/pdf/ssa-

159860.pdf

June 2018: SICAM SCC Security Updates

Security Advisory SSA-159860- All SICAM SCC versions are affected with a security vulnerability, for which we are providing workarounds until we release a fix. More information can be

found under: https://cert-portal.siemens.com/productcert/pdf/ssa-159860.pdf

November 2017: Security related updates in SICAM PAS/PQS

In November 2017 we released the version SICAM PAS/PQS V8.10 with the following security updates.

Third-party Software Related Updates- Added support for the following operating systems: Windows 10 IoT Enterprise LTSB (64-bit), Windows Server 2016 with Desktop Experience (64-bit)- OpenSSL version updated to 1.0.2k to address multiple reported vulnerabilities (see here⇓ OpenSSL news)

June 2017: Security related updates in SICAM PAS/PQS

In June 2017 we released the version SICAM PAS/PQS V8.09 with the following security updates.

Security Advisory SSA-946325- An existing security advisory SSA-946325 has been updated.

More information can be found under: https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-946325.pdf

Third-party Software Related Updates- NTP version updated to V4.2.8p10 to address multiple reported vulnerabilities (see here⇓ NTP notices)

May 2017: Security related updates in SICAM SCC

In May 2017 we released the version SICAM SCC V9.01, based on SIMATIC WinCC 7.4 SP1 with the following security related updates.

Security-relevant features- SIMATIC WinCC 7.4 SP1 fixes vulnerabilities as reported on our ProductCERT website under advisories: SSA-701708, SSA-156872





https://www.openssl.org/news/vulnerabilities.html



http://support.ntp.org/bin/view/Main/SecurityNotice#March_2017_ntp_4_2_8p10_NTP_Secu

http://w3.siemens.com/smartgrid/global/en/products-systems-solutions/substation-automation/HMI_and_Archiving/Pages/SICAM-SCC.aspx

https://support.industry.siemens.com/cs/document/109745983/delivery-release-for-simatic-wincc-v7-4-sp1?dti=0&lc=en-WW

https://www.siemens.com/cert/advisories

http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-701708.pdf




- Support for the following operating systems: Windows Server 2016 64-bit (with SIMATIC WinCC 7.4 SP1 as basis), Windows 10 Professional & Enterprise 64-bit,Windows Server 2008 R2 SP1 64-bit, Windows Server 2012 R2 64-bit, Windows 8.1 Professional / Enterprise 32-bit and 64-bit, Windows 7 Professional / Ultimate /Enterprise SP1 32-bit and 64-bit

- Virtualization with VMWare ESXi Server V6.5 (with SIMATIC WinCC 7.4 SP1 as basis)


February 2017: Security related updates in SICAM SCC

In February 2017 we released the version SICAM SCC V9.00 with the following security related updates.

Security-relevant features- Support for the following operating systems: Windows 10 Professional & Enterprise 64-bit (only with SIMATIC WinCC 7.4 as basis), Windows Server 2008 R2 SP1

64-bit, Windows Server 2012 R2 64-bit, Windows 8.1 Professional / Enterprise 32-bit and 64-bit, Windows 7 Professional / Ultimate / Enterprise SP1 32-bit and 64-bit

- Digitally signed installation files now also available for hotfixes

November 2016: Security related updates in SICAM PAS/PQS

In November 2016 we released the version SICAM PAS/PQS V8.08 with the following security updates.

Security-relevant features- Three additional roles (according IEC62351-8) introduced in SICAM PAS/PQS - User Administration

o RBAC managero Security administratoro Security auditor

- Support to export security logs

Security Advisories SSA-946325 and SSA-444217- SSA-946325: Multiple vulnerabilities have been addressed n a new security advisory SSA-946325.

More information can be found under: https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-946325.pdf

- SSA-444217: An existing security advisory SSA-444217 has been updated. More information can be found under: https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-444217.pdf


http://w3.siemens.com/smartgrid/global/en/products-systems-solutions/substation-automation/HMI_and_Archiving/Pages/SICAM-SCC.aspx




June 18


Third-party Software Related Updates- OpenSSL version updated to 1.0.2j in the SICAM PAS Secure Communication Addon to address multiple reported vulnerabilities (see here⇓ OpenSSL news)- 7-Zip version updated to V16.00 to address multiple reported vulnerabilities (see here⇓ more information)- NTP version updated to V4.2.8p7 to address multiple reported vulnerabilities (see here⇓ NTP notices)

June 2016: Security related updates to SICAM FCG

In June 2016 we released the SICAM FCG – “Fault Collector Gateway” - with firmware version V1.00 with the following security features.

Security-relevant features- The SICAM FCG’s short-range radio communication interface supports the device parameterization and the transmission of messages and measured values of

SICAM FSI devices. The information is transmitted in telegrams in a secured way.- The SICAM FCG communication to the control center can be executed based on the IEC 60870-5-104 via internet protocol security (IPSec) tunnel and GSM.- IPSec capabilities:

o Pre-shared keyo IKE v1, v2o Perfect Forward Secrecyo Symmetric encryption with AES-256, AES-192, AES-128, 3DES, DESo Authentication with HMAC-SHA1, HMAC-MD5o IPSec tunnel supervision by ping

June 2016: Security related updates to SICAM FSI

In June 2016 we released the SICAM FSI – “Fault Sensor Indicator” - with firmware version V1.00 with the following security features.

Security-relevant featuresThe SICAM FSI variant 6MD2314-1AB11 transfers earth fault and short circuit related data to a gateway (SICAM FCG) via a secured short-range radio connection.


http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html

http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security

http://w3.siemens.com/smartgrid/global/en/products-systems-solutions/substation-automation/short-circuit-indicator/Pages/sicam-fcg.aspx

http://w3.siemens.com/smartgrid/global/en/products-systems-solutions/substation-automation/short-circuit-indicator/Pages/SICAM-FSI.aspx



SICAM A8000 / SICAM RTUsSECURITY UPDATE OVERVIEW

Jan-18

Feb-18

Mar-18

Apr-18

May-18

Jun-18

Jul-18 Aug-18

Sep-18

Oct-18 Nov-18

Dec-18

Most recentsoftware/firmwareversion with securityupdate

SICAM A8000 CP-8000/21/22 V12, June 2017. Click here for


SICAM A8000 CP-8050 V01, Jan 2017. Click here for


SICAM RTUs - Engineering Software

SICAM AK3 Revision 0401, October 2017.

Click here for more details on

security updates

SICAM RTUs - Communication Interfaces

SM-2558 Ethernet-Interface ETA4 Firmware Revision 08,

October 2016. Click here for more

details.

October 2017: Security related updates in SICAM AK3 RTU

In October2017 we released the firmware revision 0401 of the SICAM AK3 RTU with the following security updates.

Security-relevant features- Firmware signature is implemented- Transport-layer security for IEC60870-5-104 communication (master and slave) based on IEC 60870-5-7, IEC 62351-5 and IEC 62351-3 now supported by ETA-4

Ethernet Interface firmware revision 09:o up to 4 parallel IEC 104 connections securedo user certificates are supported

- Support of IPSEC IKEv2 and additional cipher suites:o AES 192, AES 256o SHA384o DH Group 5 and 14

https://www.downloads.siemens.com/download-center/Download.aspx?pos=download&fct=getasset&mandator=ic_sg&id1=DLA05_44850

http://w3.siemens.com/smartgrid/global/en/products-systems-solutions/substation-automation/substation-automation/pages/sicam-ak-3.aspx


June 18


- Following Ciphers are removed from auto-configuration: 3DES, MD5, DH Group 1- SNMPv3 Enhancements

o AES128 and SHA1/SHA2 support (SHA1, SHA2_224, SHA2_256, SHA2_384, SHA2_512)o IP address restricted SNMP accesso Retrieval of firmware revision via SNMP with SICAM RTUs SNMP MIB V04.00.00 for asset monitoring

- Security event logging enhancementso Security logbook - All Syslog Events are written to a security logbook. The security logbook can be downloaded via SICAM Toolbox IIo Syslog Prefix Text - A 32 Byte prefix text can be added to the every Syslog messageo Syslog messages can be sent to a 2nd Syslog Server over the ETA-4 Ethernet interface firmware revision 09

Third-party Software Related Updates- OpenSSL version updated to 1.0.2k to address multiple reported vulnerabilities (see here⇓ OpenSSL news)

June 2017: Security related updates in SICAM A8000 CP-8000/21/22 RTUs

In June 2017 we released the firmware version V12 of the SICAM A8000 CP-8000/21/22 products with the following security updates.

Security-relevant features- Transport-layer security for IEC60870-5-104 communication (master and slave) based on IEC 60870-5-7, IEC 62351-5 and IEC 62351-3 now supported by ET84

Ethernet Interface firmware revision 05:o up to 4 parallel IEC 104 connections securedo user certificates are supported

- Firmware signature check is activated. Only firmware with valid signature are loaded- SNMPv3 enhancements

o included authentication protocol: AES128o included privacy protocols: SHA1, SHA2_224, SHA2_256, SHA2_384, SHA2_512o Retrieve firmware revision with SICAM RTUs SNMP MIB V04.00.00

- Security event loggingo New Syslog events logged by the inbuilt IEC 104 Whitelist Filter of the ET84 Ethernet interface firmware revision 05

ƒ "Data message blocked by system internal WhiteList Filter" – logged upon detection of malformed IEC 104 packetsƒ "Data message in transmit direction blocked by activated WhiteList Filter" - Only defined telegrams (selected by type identification and cause of

transmission) will be sent in transmit direction to the remote network with the WhiteList Filter enabled. All undefined telegrams are blocked.o All Syslog Events are also written to a security logbook. This can be viewed and downloaded via SICAM WEBo A user-defined 32 Byte prefix text can be added to the every Syslog message

- IPSec enhancementso Remote ID can now be left empty (then the IP address will be used) while the Local ID is parameterized to use FQDN (e.g. "CMIC")o Sub network mask for local IP V4 address can have the value 255.255.255.255 to protect a single host network when using IPSec




http://w3.siemens.com/smartgrid/global/en/products-systems-solutions/substation-automation/remote-terminal-units/pages/sicam-a8000.aspx




Third-party Software Related Updates- OpenSSL version updated to 1.0.2k to address multiple reported vulnerabilities (see here⇓ OpenSSL news)

January 2017: Security related updates in SICAM A8000 CP-8050 RTUs

In January 2017 we released the firmware version V1 of our new RTU product SICAM A8000 CP-8050 with the following security updates.

Security-relevant features- Role-based access control (RBAC) with support for IEC 62351-8 standard roles in device and in the engineering software SICAM TOOLBOX II- Support for both device-local user accounts and RADIUS-based central user management- Secured password storage- Digitally signed firmware- Secure factory reset of the device- Configurable SD card usage- Onboard firewall with rule generation and editing options- Onboard IPSec features for end-to-site communication security – up to 8 IPSec VPN tunnels supported- Security event logging both locally on device and via Syslog protocol – up to 2 configurable Syslog servers supported- Enable/disable the “Remote operations” feature with process data messages- BDEW whitepaper security conformance statement available

November 2016: Security related updates in SICAM A8000 CP-8000/21/22 RTUs

In November 2016 we released the firmware version V11 of the SICAM A8000 CP-8000/21/22 products with the following security updates.

Security-relevant features- TLS 1.2 support for HTTPS- IPSec enhancements:

o Support for SHA384, DH groups 5 and 14o Ciphers removed from auto-configuration: 3DES, MD5, DH Group 1

- Digitally signed firmware- Support for backup RADIUS server- Syslog messages can be sent to a second Syslog Server- Enable/disable the “Remote operations” feature with process data messages

Third-party Software Related Updates- Upgrade to SQLite 3.13.0 to address a reported vulnerability (see here⇓ more information)


http://w3.siemens.com/smartgrid/global/en/products-systems-solutions/substation-automation/remote-terminal-units/Pages/SICAM-A8000.aspx

http://w3.siemens.com/smartgrid/global/en/products-systems-solutions/substation-automation/substation-automation/Pages/Overview.aspx

http://w3.siemens.com/smartgrid/global/en/products-systems-solutions/substation-automation/remote-terminal-units/pages/sicam-a8000.aspx

http://seclists.org/oss-sec/2016/q3/0

June 18


- Upgrade to Expat XML Parser 2.2.0 to address multiple reported vulnerabilities (see here⇓ Expat news)

October 2016: Security related updates to SM-2558 Ethernet Interface

Security Advisory SSA-296574"Denial of Service" vulnerability has been addressed in the ETA4 firmware Revision 08 for IEC 60870-5-104 communication.More information can be found under: https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-296574.pdf

http://expat.sourceforge.net/




SICAM POWER QUALITY &MEASUREMENTS

SECURITY UPDATE OVERVIEW

Jan-18

Feb-18

Mar-18

Apr-18

May-18

Jun-18 Jul-18 Aug-18

Sep-18

Oct-18

Nov-18

Dec-18

Most recentsoftware/firmware withsecurity update

Power Meter


Digital Measurement and Transducer


Power Quality Recorder

SICAM Q100 Update V2.00, April 2018. Click here for


SICAM Q200 Update V2.20, April 2018. Click here for


Power Quality Applications


System Software

SICAM PQS V8.09, June 2017. Click here for


SICAM PQ Analyzer Advisory V3.11, June 2018. Click here for


SIGUARD PDP V5.20, September 2017. Click

here for more details on security

updates

June 18


June 2018: Security related updates to SICAM PQ AnalyzerSecurity Advisory SSA-159860SICAM PAS/PQS V3.11 addresses a security vulnerability. More information can be found under: https://cert-portal.siemens.com/productcert/pdf/ssa-159860.pdf

April 2018: Security related updates to SICAM Q200

In April 2018 we released the SICAM Q200 – “Multifunctional Power Recorder and Power Analyzer” - with firmware version V2.20 with the following security features.

Security-relevant features- New central logging functionality for security-relevant events and alarms (Syslog support): All security-relevant events and alarms that are recorded in the device-

internal security log can also be simultaneously transferred to central syslog servers, in order to facilitate substation-wide aggregation of all security-relevantevents in adherence to standards and guidelines such as IEEE 1686, IEC 62443 and BDEW Whitepaper

Security-relevant features- OpenSSL version updated to 1.0.2n to address multiple reported vulnerabilities (see here⇓ OpenSSL news)

April 2018: Security related updates to SICAM Q100

In April 2018 we released the SICAM Q100 – “Power Quality Recorder” - with firmware version V2.00 with the following security features.

Security-relevant features- Digitally signed firmware- Logging of security-relevant events in the password-protected device-internal audit log in adherence to standards and guidelines such as IEEE 1686, IEC 62443 and

BDEW Whitepaper

November 2017: Security related updates to SICAM Q200

In November 2017 we released the SICAM Q200 – “Multifunctional Power Recorder and Power Analyzer” - with firmware version V2.10 with the following securityfeatures.

Security-relevant features- HTTPS-secured web interface with TLS 1.2 and TLS 1.1 support- Digitally signed firmware- Logging of security-relevant events in the password-protected device-internal audit log

November 2017: Security related updates in SICAM PQ Analyzer

In November 2017 we released the version SICAM PQ Analyzer V3.10 with the following security updates.


https://w3.siemens.com/smartgrid/global/en/products-systems-solutions/power-quality-measurements/power-quality-recorder/Pages/power-quality-recorder-multifunctional-power-analyzer-SICAM-Q200.aspx


https://w3.siemens.com/smartgrid/global/en/products-systems-solutions/power-quality-measurements/power-quality-recorder/pages/sicam-q100.aspx

https://w3.siemens.com/smartgrid/global/en/products-systems-solutions/power-quality-measurements/power-quality-recorder/Pages/power-quality-recorder-multifunctional-power-analyzer-SICAM-Q200.aspx

http://w3.siemens.com/smartgrid/global/en/products-systems-solutions/power-quality-measurements/software/pages/sicam-pq-analyzer.aspx



Security-relevant updates- Added support for the following operating systems: Windows 10 IoT Enterprise LTSB (64-bit), Windows Server 2016 with Desktop Experience (64-bit)

October 2017: Security related features in SIGUARD PDP

In October 2017 we released SIGUARD PDP – Phasor Data Processor for Wide Area Monitoring - Version V5.20.

Security-relevant updates- Added support for Microsoft Windows 10 Pro (64 bit) operating system for SIGUARD PDP UI and Engineer workstations- Information and recommendations on SIGUARD PDP system hardening and administration in the accompanying Administrator Guide

June 2017: Security related updates in SICAM PQ Analyzer

In June 2017 we released the version SICAM PQ Analyzer V3.09 with the following security updates.

Security-relevant features- Secure authentication: User credentials are checked while accessing Archive with SICAM PQ Analyzer or SICAM Collector


November 2016: Security related updates in SICAM PQ AnalyzerIn November 2016 we released the version SICAM PQ Analyzer V3.08 with the following security updates.

Security-relevant features- Syslog Server Support

o User activities on SICAM PQS archives can be logged into Syslog server by configuring Syslog server information in SICAM PQS – User Administrationo User activities on SICAM PQ Collector Archives can be logged into Syslog server by configuring Syslog server information in SICAM PQ Collectoro All user activities on PQS Archive or SICAM PQ Collector archives are logged in Event logs by default

- Three additional roles (according to IEC62351-8) are introduced:o RBAC managero Security administratoro Security auditor

http://w3.siemens.com/smartgrid/global/en/products-systems-solutions/control-center-solutions/siguard/pages/siguard-pdp.aspx

http://w3.siemens.com/smartgrid/global/en/products-systems-solutions/power-quality-measurements/software/pages/sicam-pq-analyzer.aspx


June 18


Third-party Software Related Updates- Siemens Automation License Manager (ALM) updated to version V5.3 SP3 Update 1 to address multiple reported vulnerabilities (see here⇓ advisory)- 7-Zip version updated to V16.00 to address multiple reported vulnerabilities (see here⇓ more information)

September 2016: Security related features in SIGUARD PDP

In September 2016 we released SIGUARD PDP – Phasor Data Processor for Wide Area Monitoring - Version V5.10 with the following security features:

Security-relevant features- Cyber Diode (spontaneous start of communication to partner-PDC)- Role-based access control with Windows user administration and NTFS security features- Securing the data connections using IPSec between different SIGUARD PDP servers/workstations, and between the PMU and the SIGUARD PDP Server- Information and recommendations on SIGUARD PDP system hardening and administration in the accompanying Administrator Guide- Support for Microsoft Windows 8.1 and Windows 2012 R2 operating systems

August 2016: Security related updates to SICAM Q200

In August 2016 we released the SICAM Q200 – “Multifunctional Power Recorder and Power Analyzer” - with firmware version V1.00 with the following securityfeatures.

Security-relevant features- Role-based access control- SNMPv3 with support for User-based Security Model (USM) as per RFC 3414.

ACCESSORIESSECURITY UPDATE OVERVIEW

Jan-18

Feb-18

Mar-18

Apr-18

May-18

Jun-18

Jul-18 Aug-18

Sep-18

Oct-18

Nov-18

Dec-18

Most recentsoftware/firmware withsecurity update



http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html

http://w3.siemens.com/smartgrid/global/en/products-systems-solutions/control-center-solutions/siguard/pages/siguard-pdp.aspx

http://w3.siemens.com/smartgrid/global/en/products-systems-solutions/substation-automation/short-circuit-indicator/Pages/SICAM-FSI.aspx

SIPROTEC 5 ApplicationError! Reference source not found.

Unrestricted

Published by and copyright © 2018:

Siemens AGEnergy Management DivisionHumboldtstr. 5990459 Nuremberg, Germanywww.siemens.com/siprotecwww.siemens.com/sicam

For more information, please contact your SiemensPartner or our Customer Support Center.

Phone: +49 180 524 70 00Fax: +49 180 524 24 71(Charges depending on the provider)

Email: [email protected]

All rights reserved.Trademarks mentioned in this document are theproperty of Siemens AG, its affiliates, or their respectiveowners.Subject to change without prior notice.

The information in this document contains generaldescriptions of the technical options available, whichmay not apply in all cases. The required technicaloptions should therefore be specified in the contract.

For all products using security features of OpenSSLthe following shall apply:

This product includes software developed by theOpenSSL Project for use in the OpenSSL Toolkit(www.openssl.org).

This product includes cryptographic software writtenby Eric Young ([email protected]).

http://www.siemens.com/siprotec

http://www.siemens.com/siprotec

mailto:[email protected]

Documents

Cyber Security – Product Update Report · IEC 61850 System Configurator V5.80 with security-relevant updates ⇓click ... Windows-based Siemens products, ... Motor Protection SIPROTEC