Hitachi Energy Vulnerabilities Plague SCADA Power Systems

Hitachi Energy is urging customers of its MicroSCADA X SYS600 product for monitoring and controlling utility power systems to immediately upgrade to a newly released version to mitigate multiple critical and high-severity vulnerabilities.

In a security advisory this week, the company described the vulnerabilities as enabling attacks that could have serious confidentiality, integrity, and availability impacts on affected products.

Hiatchi's MicroSCADA X SYS600 is a system that it acquired from its purchase of ABB's Power Grids business. Hitachi Electric says the technology is currently deployed across more than 10,000 substations, and is being used to manage and monitor power across power grids, process industries, data centers, seaports, hospitals, railways, and at least 30 airports.

Risk from compromise could be significant: power companies use MicroSCADA to enable "real-time monitoring and control of primary and secondary equipment in transmission and distribution substations," according to the company. Hitachi lists the product's main features as including disturbance analysis, power quality monitoring, and both manual and automatic control.

Patch Now to Avoid Critical Power Disruption

 Four of the five vulnerabilities that Hitachi disclosed impact MicroSCADA X SYS600 versions 10.5 and below. The other is present in MicroSCADA X SYS600 versions 10.2 to 10.5. Hitachi wants customers using affected versions to update to the new version 10.6 right away.

"These vulnerabilities were detected and reported internally in Hitachi Energy," the advisory noted, adding some good news: "Hitachi Energy is not aware of these vulnerabilities being exploited in the wild at the time of this advisory publication," on Aug. 27.

However, that could change. Products such as these can be attractive targets for attackers seeking to disrupt or degrade power supplies. Many recent examples involve Russian actors targeting power systems in Ukraine in attacks that have caused major blackouts and disruption across wide areas, including via Hitachi gear.

In one incident, Russia's Sandworm group is thought to have used a compromised MicroSCADA server to send commands to a substation's remote terminal units and trigger a power outage in Ukraine just prior to a Russian missile barrage. In a Dark Reading column last year, a Hitachi Energy executive himself identified digital substations as being of particular interest to cyberattackers because of the potential damage they could cause via a coordinated attack.

MicroSCADA CVEs, CVSS & Vulnerability Details

Hitachi is tracking the five new vulnerabilities in MicroSCADA X SYS600 as CVE-2024-4872; CVE-2024-3980; CVE-2024-3982; CVE-2024-7940; and CVE-2024-7941.

Four of the vulnerabilities have severity ratings of 8.2 or higher on the 10-point CVSS scale.

Of these, CVE-2024-4872 and CVE-2024-3980 appeared to be the most critical, with a near-maximum vulnerability score of 9.9 out of 10.0. Hitachi identified CVE-2024-4872 as enabling SQL injection attacks resulting from the product's failure to properly validate user queries. The company described CVE-2024-3980 as an argument injection vulnerability that attackers could leverage to access or modify system files and other critical application files on affected systems.

CVE-2024-3982 (CVSS score 8.2) meanwhile is an authentication bypass vulnerability that enables session hijacking. However, to pull it off an attacker would need to have local access to a machine where a vulnerable instance of MicroSCADA X SYS600 is installed, and enable session logging, Hitachi said.

"By default, the session logging level is not enabled and only users with administrator rights can enable it," the company noted.

CVE-2024-7940 (CVSS score 8.3) has to do with missing authentication for a critical function that exposes what should be a local service to all network services without any authentication.

And lastly, CVE-2024-7941, a vulnerability that offers a way to redirect users to a malicious site or attacker-controlled URL, is a relatively low-severity threat with a CVSS score of 4.3.

"By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials," Hitachi explained.