Critical Vulnerabilities in Hitachi Energy’s Relion & SAM600-IO Devices Threaten Power Grid Security

Hitachi Energy’s Relion 670, 650 Series, and SAM600-IO devices underpin sophisticated protection and control systems within critical energy infrastructures globally. In a recent cybersecurity advisory, reportable and severe vulnerabilities have emerged within these core product families—vulnerabilities which, if exploited, could have profound implications for energy sector reliability and operational stability.

Understanding the Context: What Are Relion and SAM600-IO?​

Hitachi Energy, headquartered in Switzerland and operating worldwide, develops intelligent electronic devices (IEDs) used in transmission and distribution networks for fault detection, power system protection, automation, and control. The Relion 670 and 650 series, along with the SAM600-IO, form an integral layer of the digital substation architecture, tasked with ensuring grid stability and asset safety. These devices are widely adopted in both legacy and newly commissioned substations, emphasizing their strategic importance to national critical infrastructure.

Executive Risk: Exposing the Integer Overflow Weakness​

Security researchers, with Hitachi Energy itself reporting to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), have uncovered two discrete but closely related vulnerabilities impacting the Wind River VxWorks real-time operating system (RTOS) components embedded within these IEDs.

Why These Vulnerabilities Matter​

Both issues—catalogued as CVE-2020-28895 (CVSS 7.3) and CVE-2020-35198 (CVSS 9.8)—stem from integer overflow or wraparound flaws in the RTOS’ memory allocator, specifically when calculating the size of a requested memory block via the calloc() function. The allocator may wrap around integer values when the requested size exceeds representable limits, causing less actual memory to be allocated than expected.

What Is the Practical Risk?​

When such a condition occurs, subsequent code may unknowingly operate beyond the bounds of the allocated memory. This results in classic memory corruption scenarios—undefined behaviors that may leave the device vulnerable to remote code execution, device crashes, denial of service, or information leakage, depending on exploit technique and context. In energy infrastructure, such exploits might, in a worst-case scenario, trigger widespread operational disruptions.

Degree of Difficulty​

The vulnerabilities are exploitable remotely, require low attack complexity, and demand no authentication—significantly elevating their risk profile. While there are no known public exploits currently targeting these issues, their accessibility on unsegmented or poorly secured networks means the window for malicious use is perpetually open.

Deconstructing the Vulnerabilities​

Scope of Impact: Devices and Versions​

The flaws affect a broad swathe of production across multiple revision lines from the early 1.x and 2.x firmware generations through mid-2020s releases. The following summarises the exposure window:

• Relion 670/650/SAM600-IO: All versions and revisions listed from 1.1/1.2/1.3 through to 2.2.5 (prior to patch levels noted below).
• Interaction with the calloc() routine in Wind River VxWorks 7 is implicated directly.

With exposed devices found worldwide, the risk footprint extends across North America, Europe, Asia, and regions where digital substations drive the grid modernization agenda.

Table: Affected Products and Required Actions​

Product Series	Version/Revision	Update/Mitigation Instructions
Relion 670/650/SAM600-IO	2.2.5 ≤ 2.2.5.1	Update to 2.2.5.2 or latest
Relion 670/650	2.2.4 ≤ 2.2.4.2	Update to 2.2.4.3 or latest
Relion 670	2.2.3 ≤ 2.2.3.4	Update to 2.2.3.5 or latest
Relion 670	2.2.2 ≤ 2.2.2.4	Update to 2.2.2.5 or latest
Relion 670/650/SAM600-IO	2.2.1 ≤ 2.2.1.7	Update to 2.2.1.8 or latest
Legacy lines	1.1 ~ 2.2.0	Refer to detailed mitigation strategies

Sources cross-referenced with Hitachi Energy’s PSIRT Security Advisory 8DBD000070 and the official CISA ICS Advisory confirm these risk bounds.

Dissecting the Technical Details​

The CWE-190: Integer Overflow or Wraparound​

The Common Weakness Enumeration (CWE) designation identifies integer overflow and wraparound as a top-tier risk in memory management. In this instance, both CVE-2020-28895 and CVE-2020-35198 derive from the RTOS’s inability to properly assess or constrain memory allocation parameters—an architectural oversight that recurs in embedded and IoT device software globally.

• CVE-2020-28895: Impacts various VxWorks versions, enabling partial memory corruption and potential device instability.
• CVE-2020-35198: Specifically affects VxWorks 7, and is scored at 9.8 (critical) given the high impact and ease of exploitation (CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

External validation from MITRE and NIST NVD databases supports these CVSS scores and descriptions. Update recommendations and version-specific patching strategies have been independently confirmed by both MITRE CVE and NIST.

Strategic Mitigations: Pathways to Protection​

Patch Releases and Required Actions​

Hitachi Energy has released patches or mitigation guides for each affected product family and version, prioritizing the latest firmware branches. Specifically, users must:

• Upgrade firmware to the patch versions as prescribed above.
• For legacy devices ineligible for direct update, closely follow Hitachi’s mitigation section—typically involving network segmentation, protocol hardening, and restricting remote management capabilities.

Augmenting Security Posture​

CISA and Hitachi Energy both advocate for a layered (“defense-in-depth”) approach, including:

• Network Minimization: Ensure critical control devices are isolated from public and business networks. Devices should never be directly exposed to the internet.
• Firewall Deployment: Place IED and SCADA communication behind robust network segmentation, with dedicated industrial firewalls.
• Remote Access Controls: If remote connections are essential, utilize VPNs insulated by actively updated security appliances—recognizing these themselves must be regularly patched against new CVEs.
• Employee Security Hygiene: Prevent social engineering through staff training and vigilance, referencing CISA’s social engineering and email scam guidance.
• Monitoring and Response: Deploy anomaly detection, SIEM correlation, and maintain up-to-date incident response protocols for suspected breaches.

Notably, at the time of this advisory’s publication, there are no confirmed in-the-wild exploits of these vulnerabilities. However, the embedded sector—especially devices running VxWorks—has become a high-priority target for sophisticated adversaries in recent years, elevating the urgency for proactive risk reduction.

Critical Analysis: Assessing the Broader Implications​

Strengths of Hitachi Energy’s Approach​

• Transparency & Coordination: Rapid disclosure via both vendor and CISA increases sector-wide awareness, supporting timely remediation across geographically dispersed installations.
• Patch Release Velocity: Swift issuance of patch firmware for multiple device generations surpasses the industry average, compared to patch lags frequently seen in industrial control environments.
• Comprehensive Guidance: Detailed recommendations extend beyond single-issue fixes to whole-system defensive strategy, aligning with best practice frameworks such as NIST SP 800-82 and ISA/IEC 62443.

Weaknesses and Potential Long-Term Risks​

• Legacy Device Exposure: A significant proportion of deployed Relion and SAM600-IO units operate on legacy firmware or hardware, some of which are no longer upgradeable, leaving them reliant on secondary, network-based mitigations rather than direct patching.
• Reliance on Embedded RTOS: The prevalence of VxWorks and similar RTOSes in critical devices perpetuates the exposure window for these classes of bugs, especially given the widespread “copy and reuse” paradigm in embedded software. Visibility into third-party software supply chains remains limited.
• Industrial Sector Patch Discipline: Utilities and grid operators often face organizational and regulatory inertia, resulting in patch rollouts lagging months or years behind advisories—exacerbating the effective risk.
• Complex Upgrade Logistics: Field upgrades of mission-critical IEDs can demand physical access, downtime windows, and require operational retraining—factors that may impede timely remediation.
• Post-Disclosure Exploit Development: Public availability of technical details for CVEs such as 35198 and 28895 often accelerates exploit development in threat actor communities, compressing the window between vulnerability publication and active exploitation in the wild.

Recommendations for Asset Owners​

• Immediate Inventory: Identify all potentially impacted Relion and SAM600-IO devices within asset inventories, mapping firmware versions, roles, and access vectors.
• Patch Management Acceleration: Prioritize application of vendor-provided firmware updates, especially for devices exposed via routable protocols or internet-adjacent networks.
• Network Re-architecture: Where device patching is not feasible, invest in network micro-segmentation and explicit whitelisting of communication flows to minimize the attack surface.
• Incident Preparedness: Refine playbooks for detecting anomalous device behaviors, coordinate with ISACs, and engage in sector-specific information sharing to accelerate threat intelligence cycles.
• Policy Engagement: Advocate for regulatory and vendor support for sustained long-term patch and mitigation support in critical device classes, reducing future technical debt.

Further Resources​

• Hitachi Energy Security Advisory (PSIRT 8DBD000070)
• Official CISA ICS Advisory ICSA-25-155-02
• NIST NVD CVE-2020-28895
• NIST NVD CVE-2020-35198
• CISA Control Systems Best Practices

Conclusion: A Call for Vigilance in Industrial Cybersecurity​

The vulnerabilities surfacing in Hitachi Energy’s Relion and SAM600-IO series once again highlight the mounting security challenges within industrial control and OT environments. Integer overflows in RTOS memory management, seemingly low-level software defects, possess the capacity for catastrophic impact when exploited at scale in critical power infrastructure.
While Hitachi Energy’s transparent, prompt, and comprehensive response is commendable and sets an industry benchmark, asset owners and operators must recognize that patching and segmentation are only one front in a much broader and ongoing cyber defense campaign. The lessons from this advisory extend far beyond a particular device or vendor—emphasizing the enduring importance of software supply chain scrutiny, cross-sector information sharing, and relentless operational vigilance.
Search terms such as “Hitachi Energy Relion vulnerabilities,” “Wind River VxWorks CVE-2020-35198,” and “SAM600-IO security advisory” are evidence of growing awareness and concern. For industrial cybersecurity professionals and energy sector stakeholders alike, this is a pressing invitation not merely to react, but to anticipate—the next challenge may already be coded in the firmware running quietly beneath the world’s electric grids.

---

Source: CISA Hitachi Energy Relion 670, 650 Series and SAM600-IO Product | CISA