SIPROTEC and SICAM Cyber Security

Cyber Security – Product Update Report

April 2020

https://www.siemens.com/gridsecurity
Cyber Security - Product Updates

April 2020 2 Edition 1

 April 2020
Cyber Security - Product Update Report

SIPROTEC & SICAM Product Security Update

Report
April 2020

Dear customer,

Thank you for choosing our products to address your energy automation needs. This report provides an
overview on the latest security-related product updates released by Siemens for the SIPROTEC and SICAM
range of products, spanning:
Protection, Bay Controller and Fault Recorder
SIPROTEC 4
SIPROTEC 5
SIPROTEC Compact
Associated engineering and evaluation software
Substation Automation, RTUs and Power Quality
SICAM Substation Automation
SICAM A8000 / SICAM RTUs
SICAM Power Quality and Measurements

Should you have any questions or need further information in this regard, please contact your Siemens
Partner or our Customer Support Center at support.energy@siemens.com.

Reports Archive
You can retrieve the security update report for 2019 here, 2018 here, 2017 here, and for 2016 here.

April 2020 3 Edition 1

Cyber Security - Product Updates

Security Updates for SIPROTEC and SICAM Products

Important Updates

Product Updates
April 2020: Firmware revision V4.20 released for SICAM A8000 CP-8050 RTUs with security-
relevant updates → click here for details

Security Advisories
April 2020: There were no security advisories or related updates released in April 2020

Microsoft Windows Security Patch Compatibility Reports

The Microsoft Windows Security patch compatibility reports for the SIPROTEC and SICAM family of PC-based
software products can be found under Downloads tab → Software → Security Patch Management at this link:
https://new.siemens.com/global/en/products/energy/energy-automation-and-smart-grid/grid-security/product-
security.html

Information related to Security Patch Management Practices

In order to maximize the operational security and availability of critical systems, Siemens strongly
recommends customers to upgrade to supported versions of Microsoft Windows operating systems and
Windows-based Siemens products, and to systematically practice security patch management. Siemens
recommends customers to sign up for its patch management and system maintenance services, which enable
customers to receive tailored security patch management recommendations with minimized delays.

April 2020 4 Edition 1

April 2020

Jan-20 Feb-20 Mar-20 Apr-20 May-20 Jun-20 Jul-20 Aug-20 Sep-20 Oct-20 Nov-20 Dec-20 Most recent firmware
SIPROTEC 4 version with security
update
SECURITY UPDATE OVERVIEW

Overcurrent Protection

SIPROTEC 7SJ61, 7SJ62, 7SJ64 Advisory Click here for workarounds and
mitigations regarding the most
recent security advisory

SIPROTEC 7SJ66

Distance Protection

All device types Advisory Click here for workarounds and

mitigations regarding the most
recent security advisory

Line Differential Protection

All device types Advisory Click here for workarounds and

mitigations regarding the most
recent security advisory

Transformer Protection

All device types Advisory Click here for workarounds and

mitigations regarding the most
recent security advisory

Busbar Protection

All device types Advisory Click here for workarounds and

mitigations regarding the most
recent security advisory

Generator Protection

All device types Advisory Click here for workarounds and

mitigations regarding the most

Edition 1 5 April 2020

Cyber Security - Product Updates
Jan-20 Feb-20 Mar-20 Apr-20 May-20 Jun-20 Jul-20 Aug-20 Sep-20 Oct-20 Nov-20 Dec-20 Most recent firmware
SIPROTEC 4 version with security
update
SECURITY UPDATE OVERVIEW

recent security advisory

High Speed Busbar Transfer

All device types Advisory Click here for workarounds and

mitigations regarding the most
recent security advisory

Bay Controller

All device types Advisory Click here for workarounds and

mitigations regarding the most
recent security advisory

V/f-Relays

All device types Advisory Click here for workarounds and

mitigations regarding the most
recent security advisory

Transient Earth Fault Relay

All device types Advisory Click here for workarounds and

mitigations regarding the most
recent security advisory

Breaker Failure Protection

All device types Advisory Click here for workarounds and

mitigations regarding the most
recent security advisory

Breaker Management

All device types Advisory Click here for workarounds and

mitigations regarding the most

April 2020 6 Edition 1

April 2020

Jan-20 Feb-20 Mar-20 Apr-20 May-20 Jun-20 Jul-20 Aug-20 Sep-20 Oct-20 Nov-20 Dec-20 Most recent firmware
SIPROTEC 4 version with security
update
SECURITY UPDATE OVERVIEW

recent security advisory

SIPROTEC 4 – Communication Interfaces

IEC 61850 communication module V4.37, December 2019 (click for

more information)

DNP3 TCP communication module Mitigations and workarounds

available (click for more
information)

IEC 104 communication module Mitigations and workarounds

available (click for more
information)

PROFINET IO communication module Mitigations and workarounds

available (click for more
information)

MODBUS TCP communication module Mitigations and workarounds

available (click for more
information)

February 2020: SIPROTEC 4 and SIPROTEC Compact

Security Advisories
- SIPROTEC 4 and SIPROTEC Compact relays equipped with EN100 Ethernet communication modules are affected by a security vulnerability. More information,
including mitigations and workarounds can be found in our security advisory SSA-974843 on our ProductCERT website

December 2019: EN100 Security Updates

Security Advisories

Edition 1 7 April 2020

Cyber Security - Product Updates
- EN100 E+/O+ IEC 61850 Communication Module firmware version V4.37 addresses security vulnerabilities. More information, including mitigations and
workarounds for EN100 module variants with pending firmware updates are can be found in our security advisory SSA-418979 on our ProductCERT website

April 2020 8 Edition 1

April 2020

Jan-20 Feb-20 Mar-20 Apr-20 May- Jun-20 Jul-20 Aug- Sep-20 Oct-20 Nov- Dec-20 Most recent firmware
SIPROTEC 5 20 20 20 version with security-
relevant update
SECURITY UPDATE OVERVIEW

Overcurrent Protection

SIPROTEC 7SJ82, 7SJ85, 7SJ86 Update V8.01 January 2020. Click here for
details on security-relevant updates

Distance Protection

SIPROTEC 7SA82, 7SA86, 7SA87 Update V8.01 January 2020. Click here for
details on security-relevant updates

Line Differential Protection

SIPROTEC 7SD82, 7SD86, 7SD87 Update V8.01 January 2020. Click here for
details on security-relevant updates

Line Differential and Distance Protection

SIPROTEC 7SL82, 7SL86, 7SL87 Update V8.01 January 2020. Click here for
details on security-relevant updates

Breaker Management

SIPROTEC 7VK87 Update V8.01 January 2020. Click here for

details on security-relevant updates

Transformer Protection

SIPROTEC 7UT82, 7UT85, 7UT86, 7UT87 Update V8.01 January 2020. Click here for
details on security-relevant updates

Motor Protection

SIPROTEC 7SK82, 7SK85 Update V8.01 January 2020. Click here for
details on security-relevant updates

Generator Protection

Edition 1 9 April 2020

Cyber Security - Product Updates
Jan-20 Feb-20 Mar-20 Apr-20 May- Jun-20 Jul-20 Aug- Sep-20 Oct-20 Nov- Dec-20 Most recent firmware
SIPROTEC 5 20 20 20 version with security-
relevant update
SECURITY UPDATE OVERVIEW

SIPROTEC 7UM85 Update V8.01 January 2020. Click here for

details on security-relevant updates

Busbar Protection

SIPROTEC 7SS85 Update V8.01 January 2020. Click here for

details on security-relevant updates

Bay Controller

SIPROTEC 6MD85, 6MD86 Update V8.01 January 2020. Click here for
details on security-relevant updates

Fault Recorder

SIPROTEC 7KE85 Update V8.01 January 2020. Click here for

details on security-relevant updates

Paralleling Device

SIPROTEC 7VE85 Update V8.01 January 2020. Click here for

details on security-relevant updates

Ethernet Plug-in Communication Interfaces

SIPROTEC 5 Ethernet plug-in communication modules Update V8.01 January 2020. Click here for
details on security-relevant updates

January 2020: SIPROTEC 5 Security Updates

We released the firmware version V8.01 for SIPROTEC 5 protection relays with the following security-relevant updates.

Security-relevant Features
• New: VLAN support for IP-based protocols on the Ethernet plug-in module ETH-BD-2FO. On a single physical Ethernet port of the ETH-BD-2FO, customers can
now assign separate logical IP addresses that reside in different VLANs. For instance, management and maintenance protocols such as DIGI S 5 engineering,

April 2020 10 Edition 1

April 2020

RADIUS and Syslog can be assigned a logical IP address in the engineering VLAN on the one hand, and the IP-based process communication protocols such as
IEC 61850-MMS can be assigned a logical IP address in another process VLAN, both on the same physical Ethernet port of the ETH-BD-2FO module. This
achieves network segmentation without the need for separate physical wiring of the two different networks and the without the need for two different
communication modules on the SIPROTEC 5 relay.
• New: Certificate management support over the SIPROTEC 5 web browser UI interface. Customers can now assign digital certificates that are signed by their
own CA (certificate authority) to SIPROTEC 5 web server that is accessible over the relay’s Ethernet ports and the USB port. This can be achieved by
downloading certificate signing requests (CSRs) from the SIPROTEC 5 relay over the web browser UI, signing the CSRs with the customer’s CA and then
uploading the signed certificates back into the relay over the web browser UI. The CSR signing can be performed using any standard-based certificate
management software such as SICAM GridPass.

Security Advisory SSA-632562

- SIPROTEC 5 firmware version V8.01 also addresses security vulnerabilities. More information, including solutions, mitigations and workarounds can be found
in: https://cert-portal.siemens.com/productcert/pdf/ssa-632562.pdf

Edition 1 11 April 2020

Cyber Security - Product Updates
Jan-20 Feb-20 Mar-20 Apr-20 May- Jun-20 Jul-20 Aug-20 Sep-20 Oct-20 Nov-20 Dec-20 Most recent firmware
SIPROTEC COMPACT 20 version with security
update
SECURITY UPDATE OVERVIEW

Overcurrent Protection

SIPROTEC 7SJ80 Advisory Click here for workarounds and

mitigations regarding the most
recent security advisory

Motor Protection

SIPROTEC 7SK80 Advisory Click here for workarounds and

mitigations regarding the most
recent security advisory

Voltage and Frequency Protection

No security updates in the past month Advisory Click here for workarounds and
mitigations regarding the most
recent security advisory

Line Differential Protection

SIPROTEC 7SD80 Advisory Click here for workarounds and

mitigations regarding the most
recent security advisory

Feeder Protection

No security updates in the past month Advisory Click here for workarounds and
mitigations regarding the most
recent security advisory

SIPROTEC Compact – Communication Interfaces

IEC 61850 Communication module V4.37, December 2019 (click for

more information)

April 2020 12 Edition 1

April 2020

DNP3 TCP communication module Mitigations and workarounds

available (click for more
information)

December 2019: SIPROTEC Compact related Security Updates

Firmware version V4.37 has been released for EN100 E+/O+ IEC 61850 communication module with security updates, and security advisories have been released
and/or updated. Click here for more details.

Jan-20 Feb-20 Mar-20 Apr-20 May- Jun-20 Jul-20 Aug-20 Sep-20 Oct-20 Nov-20 Dec-20 Most recent software
SIPROTEC SOFTWARE 20 version with security-
relevant update
SECURITY UPDATE OVERVIEW

DIGSI 5 Update V8.01, January 2020. Click here for

details on security-relevant
updates.

DIGSI 4

IEC 61850 System Configurator

SIGRA

January 2020: DIGSI 5 Security Updates

We released the DIGSI 5 software version V8.00 with the following security-relevant updates.

Security-relevant Features
- Digitally signed binaries: DIGSI 5 binaries (DLLs and EXEs) installed on the user’s computer bear a digital signature with a certificate issued by a publicly trusted CA.
This enables customers to apply strong application whitelisting on the DIGIS 5 installation using software such as Microsoft Windows Defender Application Control.

Edition 1 13 April 2020

Cyber Security - Product Updates
Jan- Feb- Mar- Apr- May- Jun-20 Jul-20 Aug- Sep- Oct- Nov- Dec- Most recent
SICAM SUBSTATION 20 20 20 20 20 20 20 20 20 20 software/firmware
version with security
AUTOMATION update
SECURITY UPDATE OVERVIEW

Substation Automation

SICAM PAS V8.14, Dec 2019. Click here for

more details on security updates

HMI and Archiving

SICAM SCC

Security Management

SICAM GridPass Update V1.40 January 2020. Click here

for more details on security
updates

Short-Circuit Indicator

SICAM FCG – Fault Collector Gateway

SICAM FSI – Fault Sensor Indicator

January 2020: Security related updates in SICAM GridPass V1.40

We released the version SICAM GridPass V1.40 with the following security updates to its certificate management features:
- Wizard to create valid certificates step-by-step for different use cases
- IEC 62351-8 role extension for certificates
- Further improvements

Third-party Software Related Updates

- Cesanta Mongoose updated to version 6.16 (see here → Mongoose release notes)
- SQLite version updated to version 3.30.1 (see here → SQLite release history)

April 2020 14 Edition 1

April 2020

December 2019: Security related updates in SICAM PAS V8.14

We released the version SICAM PAS/PQS V8.14 with the following security updates:
- TLS 1.2 support for securing the following protocols can be configured to disable encryption for supporting Integrity-only mode, in order to assist diagnostics and
deep packet inspection scenarios:
o IEC 61850 Client and Server
o IEC 60870-5-104 Master and Slave
o DNP3i Master and Slave
- SNMP client supports secured communication
- Security event is logged when configuration changes are activated in the runtime using the context menu

Third-party Software Related Updates

- Security vulnerability fixes released for the 3 rd party components: OPC UA and Sentinel LDK have been integrated. See the SICAM PAS V8.14 release notes for more
details: https://support.industry.siemens.com/cs/document/109773141/sicam-pas-pqs-v8-14?dti=0&lc=en-US

Edition 1 15 April 2020

Cyber Security - Product Updates
Jan- Feb- Mar- Apr- May- Jun- Jul-20 Aug- Sep- Oct- Nov- Dec- Most recent
SICAM A8000 / SICAM RTUs 20 20 20 20 20 20 20 20 20 20 20 software/firmware
version with security
SECURITY UPDATE OVERVIEW
update

SICAM A8000 CP-8000/21/22 V15, Oct 2019. Click here for

more details on security updates

SICAM A8000 CP-8050 Update V4.20, Apr 2020. Click here for
more details on security updates

SICAM RTUs – Engineering Software

SICAM AK3 V05, Oct 2019. Click here for

more details on security updates

SICAM RTUs – Communication Interfaces

SM-2558 Ethernet-Interface

April 2020: Security related updates in SICAM A8000 CP-8050 RTUs

We released the firmware revision V4.20 of the SICAM A8000 CP-8050 RTU with the following security updates.
- 802.1X EAP/TLS Authentication: Enhancement of 802.1X EAP/TLS for authenticated network access to wired Ethernet networks
- Enhancement of the algorithms used by Secure-NTP: Enhanced by RIPEMD160, SHA224, SHA256, SHA384, SHA512
- Service Forwarding: It is possible to forward all port numbers for a service forwarding rule
- Weak TLS protocols (TLS 1.0, TLS 1.1), cipher suites and hashing algorithms for online configuration interface are no longer supported

Third-party Software Related Updates

- OpenSSL version updated to 1.1.1 (see here for more information → OpenSSL 1.1.1 release notes)

October 2019: Security related updates in SICAM A8000 and SICAM AK3 RTUs
We released the firmware revision V15 of the SICAM A8000 CP8000 RTU with the following security updates.
- Support of SNMP Digital Grid Product Inventory MIB
- Interface status (LINK up/down) can be read for ports X1 and X4 over SNMPv3
- Password policy can be configured
o minimum number of capital letters

April 2020 16 Edition 1

April 2020

o minimum number of small letters

o minimum number of special characters
o minimum number of digits
o minimum password length

Third-party Software Related Updates in SICAM A8000 CP-8000 Firmware V15 and SICAM AK3 Firmware V05
- OpenSSL version updated to 1.0.2r to address multiple reported vulnerabilities (see here → OpenSSL news)

March 2019: Security related updated in SICAM A8000 RTUs

We released the firmware revision V03 of the SICAM A8000 CP8050 RTU with the following security updates.
- Centralized role-based access control (RBAC) with central user management now also supported using LDAP over TLS 1.2 according to IEC 62351-8 PULL model
o Role information is resolved by retrieving the user’s attribute certificate or ID certificate from user account’s LDAP folder (e.g. in Active Directory)
o This option is additional to the existing RADIUS based RBAC support
- Transport-layer security for IEC 61850-MMS communication (server and client) based on IEC 62351-4 and IEC 62351-3 now supported by ETI-5 Ethernet Interface
firmware revision 0311
- AES256 encryption support for SNMPv3
- Emergency password (device-local account) can be changed via SNMPv3
- NTP protocol implementation now supports authentication with symmetric keys
- Service forwarding via IPSec tunnel supported

Edition 1 17 April 2020

Cyber Security - Product Updates
Jan- Feb- Mar- Apr- May- Jun-20 Jul-20 Aug- Sep- Oct- Nov- Dec- Most recent
SICAM POWER QUALITY & 20 20 20 20 20 20 20 20 20 20 software/firmware with
security update
MEASUREMENTS
SECURITY UPDATE OVERVIEW

Power Meter

No security updates in the past month

Digital Measurement and Transducer

No security updates in the past month

Power Quality Recorder

SICAM Q100

SICAM Q200 Update V2.50, Mar 2020. Click here for

more details on security updates

Power Quality Applications

No security updates in the past month

System Software

SICAM PQS

SICAM PQ Analyzer

March 2020: Security related updated in SICAM Q200

We released the firmware revision V2.50 of the SICAM Q200 Power Quality Recorder and Multifunctional Measuring Device with the following security updates.
Role-based Access Control (RBAC) with central user management:
- Centrally manage user accounts in RADIUS / ActiveDirectory and roles in RADIUS
- Protection against unauthorized access to device over Web interface thanks to the inbuilt RADIUS authentication und authorization option
- Support for standard roles and rights in adherence to standards and guidelines such as IEC 62351-8, IEEE 1686 and BDEW Whitepaper
- Emergency / local access possibility in case of interruption in RADIUS server communication

April 2020 18 Edition 1

April 2020

Third-party Software Related Updates in SICAM Q200

- Mbed TLS version updated to 2.7.10 to address reported vulnerabilities (see here → Mbed TLS release notes)

Edition 1 19 April 2020

 SIPROTEC 5 Application
Error! Reference source not found.

Published by and copyright © 2020:

Siemens AG
Energy Management Division
Humboldtstr. 59
90459 Nuremberg, Germany
www.siemens.com/siprotec
www.siemens.com/sicam

For more information, please contact your Siemens

Partner or our Customer Support Center.
Phone: +49 180 524 70 00
Fax: +49 180 524 24 71
(Charges depending on the provider)
Email: support.energy@siemens.com

All rights reserved.
Trademarks mentioned in this document are the
property of Siemens AG, its affiliates, or their respective
owners.
Subject to change without prior notice.
The information in this document contains general
descriptions of the technical options available, which
may not apply in all cases. The required technical
options should therefore be specified in the contract.
For all products using security features of OpenSSL
the following shall apply:
This product includes software developed by the
OpenSSL Project for use in the OpenSSL Toolkit
(www.openssl.org).
This product includes cryptographic software written
by Eric Young (eay@cryptsoft.com).

Unrestricted