The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory detailing two web‑interface vulnerabilities in Siemens SICAM P850 and P855 power‑system devices. But buried in the notice is a more consequential shift for industrial defenders: CISA will no longer update this advisory, directing operators to track future fixes directly through Siemens’ ProductCERT portal. The agency’s hands‑off approach marks a new normal in how critical infrastructure operators must manage cybersecurity intelligence for industrial control systems.
The advisory, published on December 17, 2024, lists two specific flaws—one Cross‑Site Request Forgery (CSRF) bug and a missing cookie protection mechanism—that together allow an attacker to perform unauthorized actions on affected devices by hijacking or forging a legitimate user’s web session. While the vulnerability scores appear modest at first glance, the operational reality of energy‑sector devices makes patching an urgent priority.
What CISA’s Advisory Actually Says
The December advisory covers a wide swath of SICAM P850 and P855 family products. Siemens itself reported 31 distinct order numbers (SKUs) that are vulnerable when running firmware earlier than version 3.11. Examples include common ordering codes like 7KG8500-0AA00-0AA0 and 7KG8551-0AA32-2AA0, but the full list spans many configurations used in metering, control, and protection functions.
The two tracked vulnerabilities:
- CVE‑2023‑30901 (CVSS 4.3): The device web interface lacks anti‑CSRF tokens. An attacker who convinces an authenticated operator to click a crafted link can execute actions on the device—such as changing settings or triggering functions—under that operator’s session without their knowledge.
- CVE‑2023‑31238 (CVSS 5.5): Default cookie settings omit the
HttpOnly,Secure, andSameSiteflags. That means session tokens can be stolen or reused more easily, allowing an attacker to impersonate a legitimate user after gaining access to the token.
Siemens’ recommended mitigation is straightforward: update all affected products to firmware V3.11 or later. For operators unable to patch immediately, CISA and Siemens both urge restricting access to TCP port 443 (the management interface) to trusted IP addresses only, and instructing engineers not to click unknown links while logged into device web consoles.
Who Should Worry – and Why the CVSS Scores Don’t Tell the Whole Story
These devices aren’t consumer gadgets. SICAM P850 and P855 units sit inside electrical substations, renewable generation sites, and industrial plants, where they handle real‑time power measurement and control. The web interface is typically used by field technicians and OT engineers for configuration and monitoring. A compromise of that interface doesn’t just mean data theft—it can lead to physical process disruption.
A CSRF attack, for instance, could trick an operator into unknowingly altering protection relay settings. Combined with the session‑token weakness, a network intruder who intercepts a cookie could impersonate an authorized user and dig deeper into the operational network. The CVSS base scores of 4.3 and 5.5 reflect a single‑attack complexity, but in OT environments, the actual business impact often far outweighs the numerical rating. As Siemens’ own advisory notes, successful exploitation lets an attacker “perform arbitrary actions on the device on behalf of a legitimate user” or “impersonate that user”—a pair of capabilities that can serve as a foothold for larger attacks.
That reality makes the patch urgency high, even if publicly available exploit code hasn’t appeared yet. The vulnerabilities have been known since at least mid‑2023, and Siemens has been iterating on fixes in multiple ProductCERT advisories. The CISA publication is a fresh reminder, not a new disclosure.
The CISA‑to‑Siemens Handoff: A New Normal for ICS Advisories
The advisory includes a crucial administrative detail: “As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory.” In other words, this December 2024 notice is the first and last CISA publication on these particular CVEs. All future patches, workaround updates, or revised severity assessments will appear only on Siemens’ ProductCERT website.
That shift puts a heavier burden on asset owners. Previously, many U.S. operators relied on CISA’s ICS‑CERT feed as a one‑stop shop for vulnerability intelligence. Now, for Siemens gear at least, the shop is closing early. If Siemens releases a new firmware version next month that fixes a related issue, or if a subsequent advisory changes the recommended remediation for a specific SKU, CISA won’t re‑notify anyone. Operators must actively monitor
https://cert.siemens.com/—not just once, but on an ongoing basis—to stay informed.
Confusingly, the exact remediation baseline has been a moving target. The December CISA advisory points to version 3.11. An earlier Siemens advisory, SSA‑572005, listed V3.10 as the fix for many SKUs. Several community summaries have referenced both numbers. Siemens ProductCERT remains the single source of truth for per‑SKU guidance, so matching your exact order code and current firmware to the latest advisory table is non‑negotiable.
Your 5‑Step Action Plan for SICAM Security
The following steps reconcile the immediate CISA alert with the longer‑term need for direct vendor monitoring.
1. Inventory exactly what you have
Pull a report from your asset management system or physically audit each SICAM device. Record the full order number (the 16‑character string starting with 7KG85) and the installed firmware revision. The December advisory lists over 30 affected SKUs; even devices not explicitly named but belonging to the P850 or P855 family may be impacted if running firmware before 3.11.
2. Visit Siemens ProductCERT for your specific SKU
Don’t rely on the CISA advisory’s blanket “update to V3.11” without cross‑checking. Navigate to https://cert.siemens.com/ and search for the advisory associated with your device family. Look for a consolidated notice like SSA‑201498 (the direct reference in the CISA alert) or any superseding bulletin. The correct remediation version for your SKU will be listed in a table inside that advisory.
3. Apply the firmware update after testing
Downtime in substation equipment often requires a maintenance window. Test the new firmware in a lab or a non‑production segment first. Confirm that all operational functions (metering, protection logic, communications) work correctly after the update. Have a rollback plan ready.
4. Lock down the management interface—now
If you can’t patch immediately, or even if you plan to patch next week, restrict access to TCP/443. Configure firewalls or access‑control lists so that only a small set of management IP addresses (jump hosts, engineering workstations) can reach the web interface. If the device supports disabling the web UI entirely and you don’t need it for daily operations, turn it off. Siemens’ operational guidelines for industrial security recommend protecting network access with “appropriate mechanisms”—that starts with segmentation.
5. Harden administrative workflows
Because the vulnerabilities hinge on social engineering and session hijacking, your people and processes are the last line of defense.
- Set clear policy: no browsing the public internet from an engineering workstation that’s actively logged into a SICAM console.
- Use dedicated, isolated admin PCs that are locked down and regularly patched.
- Enable multi‑factor authentication if the device or jump host supports it.
- Rotate administrative passwords after patching, in case any session tokens were previously exposed.
- Monitor device logs for unexpected configuration changes or repeated failed logins, and feed them into your OT SIEM.
For SKUs that Siemens marks as “no fix planned” (a possibility noted in other SICAM advisory lineages), these compensating controls become your permanent strategy. In such cases, document the risk acceptance and review it annually.
Outlook
CISA’s pivot to a “publish once, then out” model for Siemens advisories is likely to expand in the ICS space. The agency has signaled that vendor PSIRT organizations are better positioned to issue timely updates, and it wants to reduce duplication of effort. For OT teams, that means building direct feed subscriptions into your patch‑management routine—monitoring not just CISA, but Siemens, ABB, Schneider Electric, and every other equipment vendor you run.
Siemens itself continues to demonstrate a proactive stance, issuing per‑SKU advisory tables and iterative patches. The availability of firmware 3.11 across the P850/P855 range shows that the company is still actively supporting these products. Operators who act now can close the web‑facing gap before the known CVEs attract public exploit development. The bigger long‑term challenge is institutional: treating ICS vulnerability intelligence as a continuous, self‑service discipline rather than waiting for a government alert to trigger action.