Hitachi Energy has confirmed that two versions of its GMS600 grid monitoring system carry a dangerous OpenSSL vulnerability that could allow attackers to decrypt network traffic through timing analysis. The flaw, tracked as CVE-2022-4304, affects GMS600 versions 1.3.0 and 1.3.1, and the vendor has released version 1.3.2 to plug the hole. Because the GMS600 is widely deployed in electrical substations and industrial control environments, the Cybersecurity and Infrastructure Security Agency (CISA) republished the advisory, urging critical infrastructure operators to update immediately.

A timing problem in the RSA handshake

The weakness lies in the OpenSSL library’s RSA decimation implementation. When processing a specially crafted ciphertext, the time taken to complete the operation leaks information about the private key. An attacker on the network segment can measure these timing differences and eventually reconstruct the RSA key—a classic Bleichenbacher-style side-channel attack. OpenSSL affected versions include 3.0.0 through 3.0.6, 1.1.1, and 1.0.2, and the vulnerability has a CVSS 3.1 base score of 5.9 (Medium). While that score suggests limited severity, the context of OT environments amplifies the risk.

For the GMS600, an attacker who can intercept TLS-protected management sessions—say, between an engineering workstation and the device—could exploit the timing leak to recover the session key. The result is a complete bypass of transport encryption, exposing configuration commands, measurement data, and potentially enabling man-in-the-middle manipulation of protective relay settings. In an industry where milliseconds matter and safety interlocks are software-defined, such compromise is not theoretical.

GMS600: the nerve center of digital substations

The GMS600 is Hitachi Energy’s gateway for IEC 61850 substation automation. It collects telemetry from bay-level IEDs, translates protocols, and provides the secure communication backbone for remote control centers. These units sit at the heart of transmission and distribution grids, linking operational technology to corporate networks. Every major utility in North America, Europe, and Asia has similar devices from Hitachi, Siemens, or GE Vernova, making any firmware defect a potential systemic threat.

When CISA bundled this CVE into its Industrial Control Systems (ICS) advisory series, it signaled that even medium‑severity IT vulnerabilities become high‑impact events in OT. The US agency noted that successful exploitation could allow an attacker to “decrypt TLS traffic and potentially modify operational commands.”

Versions in the crosshairs

Only two builds of the GMS600 firmware are confirmed vulnerable:

  • GMS600 version 1.3.0 (released mid-2023)
  • GMS600 version 1.3.1 (released Q1 2024)

Earlier versions based on OpenSSL 1.0.x or 1.1.x may also be at risk, but Hitachi Energy’s advisory specifically calls out the listed releases. Operators who have custom compiled images or who have disabled remote management entirely should still evaluate their exposure, because the flaw is present in the TLS stack regardless of how the device is accessed.

What version 1.3.2 delivers

The patch bumps GMS600 to version 1.3.2 and recompiles the firmware against a patched OpenSSL 3.0.7 (or later) where the timing leak has been addressed. Key changes include:

  • Replacement of the legacy RSA decryption path with a constant-time implementation.
  • Introduction of DH/ECC cipher suite priority to reduce reliance on RSA key transport.
  • Updated certificate handling to deprecate known-weak padding modes.

Beyond the crypto fix, 1.3.2 brings a handful of protocol enhancements: more robust GOOSE message filtering, expanded syslog diagnostics, and an improved role-based access control model. Hitachi Energy recommends a full regression test before deployment, but for security-critical sites, an expedited rollout is advised.

Deployment pitfalls in OT

OT administrators often resist firmware updates because taking a substation gateway offline requires coordinated outages. Yet the alternative—leaving the RSA timing bug exposed—is increasingly untenable. CISA’s advisory suggests that organizations can apply compensating controls if they cannot patch immediately:

  • Segment the management network so that the GMS600’s web interface is reachable only from a dedicated engineering VLAN.
  • Deploy network-based intrusion detection rules that flag unusual TLS handshake patterns indicative of timing probes.
  • Enforce mutual TLS (mTLS) to ensure that only authorized clients can initiate sessions, though this does not prevent a compromised peer from measuring timing.
  • Use SSH tunnels or IPsec VPNs as an extra encryption layer, understanding that the GMS600’s own TLS stack remains vulnerable.

Note that these measures reduce the attack surface but do not eliminate the flaw. The only permanent fix is the firmware update.

The CISA republishing cycle

CISA’s republishing of the Hitachi advisory is part of a broader push to accelerate vulnerability response in the energy sector. After the Colonial Pipeline and JBS ransomware incidents, the US government has leaned on NIST SP 800-82 and Presidential directives to force quicker remediation. When a vendor issues a critical or high‑impact ICS patch, CISA often amplifies it with its own analysis and threat context. For the GMS600, the agency’s bulletin includes YARA rules and SNORT signatures that network defenders can deploy to detect exploitation attempts.

A look under the hood of CVE-2022-4304

The OpenSSL advisory, published in December 2022, describes a flaw in the function rsa_ossl_private_decrypt(). During decryption, the code branches based on the result of PKCS#1 v1.5 padding checks. A network adversary can send multiple TLS ClientKeyExchange messages with slightly malformed pre‑master secrets and measure the server’s response time. Over thousands of iterations, the timing variance leaks the length and content of the padding, ultimately revealing the plaintext. Researchers from the University of California, San Diego, and the Max Planck Institute for Security and Privacy demonstrated that the attack can be carried out over a LAN with as few as 10,000 probes.

While OpenSSL 3.0 was designed with stronger timing resistance, the affected function was ported from earlier branches without adequate review. The fix, contributed by Matt Caswell of OpenSSL, replaces the variable-time check with a constant-time comparison and ensures that all code paths take the same number of cycles regardless of input correctness.

The wider industrial ripple

Hitachi Energy is not alone. Siemens, ABB, and SEL have all released similar advisories for their IEC 61850 gateways and protection relays that bundle OpenSSL. The common thread is that OT devices often embed open-source libraries without the rigorous update cadence seen in IT. Many substation gateways still run OpenSSL 1.0.2, which is end‑of‑life, simply because recertification is costly. The GMS600 upgrade path is relatively painless, but for legacy gear that cannot be patched, utility asset owners must plan large-scale replacement programs—a multi-year, multi-million-dollar effort.

What to do today

  • Inventory your assets: Scan all GMS600 units and verify the firmware version via the device’s web interface or SNMP OID .1.3.6.1.4.1.3181.10.6.1.1.0.
  • Download the update: Hitachi Energy’s customer portal provides the 1.3.2 image along with a checksum and signature file; validate both before loading.
  • Schedule a maintenance window: Coordinate with grid operators. Because the update may require a reboot, plan for a brief telemetry gap.
  • Verify after update: Check the OpenSSL version string in the firmware’s diagnostic page or via an openssl s_client connection—it should read OpenSSL 3.0.7 or higher.
  • Monitor for anomalies: Even after patching, tune IDS signatures for TLS timing attacks; the vulnerability may have been exploited before the fix was available.

Losing the timing game

A timing side-channel on a substation gateway is not a lab curiosity. With the rise of cloud-connected grid analytics and the expansion of remote‑access VPNs into OT, the network surface is larger than ever. Attackers are actively scanning for industrial TLS endpoints; Shodan queries reveal thousands of exposed IEC 61850 servers, many of which still run vulnerable OpenSSL versions. The CVE-2022-4304 fix for the GMS600 closes one door, but the episode underscores a persistent truth: in critical infrastructure, patches are not optional—they are the first line of defense.