CISA Adds Hitachi Energy PCM600 Vulnerabilities to KEV Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has identified critical vulnerabilities in Hitachi Energy's PCM600 software. These vulnerabilities pose significant risks to energy infrastructure and require immediate remediation.

PCM600 is a power system control and monitoring software used extensively in energy sector operations. The identified vulnerabilities include multiple security flaws that could allow unauthorized access to critical systems, disruption of power operations, or elevation of privileges.

CISA has added these vulnerabilities to its Known Exploited Vulnerabilities catalog, indicating they are being actively exploited in the wild. Energy sector organizations should treat this as an immediate priority and implement mitigation measures without delay.

Affected versions:

• PCM600 2.9 and all prior versions
• PCM600 2.8 and all prior versions
• PCM600 2.7 and all prior versions

The most severe vulnerabilities include authentication bypass issues, buffer overflows, and improper input validation in the PCM600 software. These vulnerabilities allow unauthenticated remote attackers to execute arbitrary code with SYSTEM privileges. Successful exploitation could result in widespread power outages or unauthorized control of critical infrastructure.

Organizations should take immediate action:

1. Apply the latest security patches from Hitachi Energy
2. Implement network segmentation to limit exposure
3. Restrict access to PCM600 interfaces from untrusted networks
4. Monitor for suspicious activity

Hitachi Energy released patches in June 2023. Organizations that have not yet applied these updates are at significant risk. CISA recommends applying patches within 14 days of release.

For more information, see the CISA Known Exploited Vulnerabilities Catalog and the Hitachi Energy Security Advisory.

Energy sector organizations should contact their Hitachi Energy representatives for assistance with patch deployment. The Department of Energy's Energy Sector Control Systems Working Group is also providing support for this incident.