Hitachi Energy MicroSCADA System Data Manager SDM600

CVSS 9.9 CRITICAL

Risk Summary

Successful exploitation of these vulnerabilities could allow an attacker to take remote control of the product.

CVE-2022-3682 CVE-2022-3683 CVE-2022-3684 CVE-2022-3685 CVE-2022-3686

Hitachi Energy recommends applying the following mitigations:
All SDM600 versions prior to v1.2 FP3 HF4 (Build Nr. 1.2.23000.291): Update to v1.3.0.1339
SDM600 versions prior to v1.3.0 (Build Nr. 1.3.0.1339): Apply workaround detailed below.
Hitachi Energy recommends the following security practices and firewall configurations to help protect a process control network from attacks originating from outside the network:
Practice principles of least privileges to minimize permissions and accesses to SDM600 related resources.
Follow security practices defined in SDM600 security deployment guidelines.
Physically protect process control systems from unauthorized direct access.
Do not directly connect control systems networks to the internet.
Separate process control systems from other networks using a firewall system with a minimal number of open ports.
Process control systems should not be used for internet surfing, instant messaging, or receiving emails.
Portable computers and removable storage media should be carefully scanned for viruses prior connection to a control system.
For more information, see Hitachi security advisory 8DBD000138.

Hitachi Energy

Hitachi Energy · SDM600 < 1.2 FP3 HF4 (Build Nr . 1.2.23000.291)

Hitachi Energy · SDM600 < 1.3.0 (Build Nr. 1.3.0.1339)

Energy

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.