Executive Summary

CVE-2022-4304 is a timing-based side channel in the RSA decryption path of the OpenSSL component bundled into Hitachi Energy GMS600, allowing an attacker who can observe processing times across many trial messages to recover the pre-master secret and decrypt captured session traffic. In a generation management system that mediates dispatch, station data, and operator communications, that means the confidentiality boundary protecting control plane data is recoverable rather than guaranteed.

Technical Exposure Breakdown

The vulnerable component is OpenSSL operating inside affected GMS600 firmware versions. The defect is a Bleichenbacher-style timing oracle. When RSA is used for key exchange, the server decrypts a client-supplied ciphertext to derive the pre-master secret. OpenSSL's implementation of the RSA decryption and PKCS#1 v1.5 padding check did not run in fully constant time, so the duration of a server response correlates with the structure of the decrypted padding.

An attacker on a path that allows repeated connection attempts to the TLS endpoint sends a large volume of crafted ciphertexts and measures response timing for each. With enough samples to overcome network jitter, the attacker reconstructs the pre-master secret from a single targeted handshake. Once that secret is known, any previously recorded application data from that session can be decrypted offline. The CVSS of 5.9 reflects the high attack complexity. This is not a single-packet exploit. It requires sustained network access, low and stable latency, and the ability to either trigger or capture the target session.

The OT relevant condition is the network path. On an IT network, an attacker rarely gets clean, low-jitter timing access to an internal TLS endpoint. On a flat substation or plant LAN where the GMS600 shares broadcast domains with engineering workstations and historians, an adversary who already has a foothold gets exactly the stable timing surface this attack needs.

OT Impact and Compliance Risk

The physical risk here is not a forced trip or a malformed command. It is loss of confidentiality over control system communications. Recovered session data can expose authentication material, configuration, dispatch instructions, and topology that an attacker uses to stage a follow-on action. Treat this as a reconnaissance and credential exposure enabler, not a standalone outage cause.

For NERC CIP entities, GMS600 in a generation context is likely a medium or high impact BES Cyber System. CIP-005 electronic security perimeter and CIP-007 system security management both assume the cryptographic protections on the asset hold. A recoverable session key undermines that assumption and should be tracked under your CIP-010 configuration management and CIP-007 patch evaluation timelines. Under IEC 62443-3-3, this touches SR 4.1 information confidentiality and SR 4.3 use of cryptography. The control is present but the implementation is defective, which is a finding you must document rather than wave off.

Compensating Controls

Do not active-scan the GMS600 to confirm the OpenSSL version. Aggressive TLS probing and fuzzing of the handshake can destabilize embedded crypto stacks on industrial controllers. Verify version from the firmware manifest and vendor documentation, not by hammering the live endpoint.

BreachSpider Intel

BreachSpider tracks exposure and exploitation signals for Hitachi Energy GMS600 and the broader OpenSSL footprint across OT environments so your team sees movement on CVE-2022-4304 before it reaches your perimeter.