In a blog post providing details about the flaw, researcher Nadav Erez said Digsi 4 was the same protocol that was exploited by malware known as Industroyer in 2016; it is claimed to have been used to attack the power grid in Ukraine on 17 December 2016.
There is, however, no unanimity in this claim; as iTWire reported in 2017, researchers from Slovakian security firm ESET were cautious about concluding that Industroyer was really used in the Ukraine attack.
All that ESET committed to at the time was that their researchers had found malware — it was they who coined the name Industroyer — which could have done exactly what happened to the power grid in Ukraine. The capital, Kiev, was without power for an hour. A previous attack in 2015, also in December, knocked out the power in about 250,000 houses in various regions of Ukraine.
"Substations are critical in power generation, distribution, and transmission networks," he explained. "A very important component in a substation is the protection relay, which is responsible for monitoring the actual current transmitted in every location and may trip any circuit breaker if anything unexpected happens.
"Without this protection relay, anything from a power outage to physical damage and even safety issues could occur."
Some Industroyer payloads were aimed at causing a DoS on the protection relays and remote terminal units used by targeted power grid companies, and thus performing the function of a kill switch.
"One of the specifically targeted ICS payloads found in the Industroyer malware (CVE-2015-5374), that was implemented, caused a DoS on Siemens SIPROTEC 4 protection relays," Erez said. "This vulnerability used the SIPROTEC 4 programming protocol (Digsi 4) that communicates over UDP port 50000, and the proof-of-concept code implementing it is available publicly."
The flaw that Claroty discovered used a malicious packet in Digsi 4 to cause a DoS on those relays, giving an attacker the chance to inflict the same damage as that caused by Industroyer.
"This Digsi 4 protocol allows users to program the protection relay and change its behaviour," Erez pointed out.
There was an additional challenge for IT security products to protect against such attacks as the protocol, like many other ICS-related protocols, is a proprietary one, he added.
Siemens has issued an advisory, outlining workarounds and mitigations for this issue, and has beefed up security in the newer SIPROTEC 5 relays which have an encrypted communication protocol that uses improved security.