CISA published advisory ICSA-26-120-02 covering a critical vulnerability in ABB’s PCM600 Protection and Control IED Manager — the tool used by protection engineers to configure, parameterize, and commission protection relays and intelligent electronic devices (IEDs) across energy transmission and distribution infrastructure. The vulnerability allows arbitrary code execution via a malicious message processed by a vulnerable SharpZip.dll component. No authentication is required for exploitation in environments where the tool is network-accessible.

What PCM600 Is and Why It Matters

ABB’s PCM600 is not a user-facing application in the conventional sense. It is the engineering workstation tool used by protection engineers to configure the IEDs that govern electrical protection systems in substations — distance relays, differential protection, busbar protection, auto-reclosers. These devices make millisecond decisions about whether to trip circuit breakers in response to fault conditions. Misconfigured or compromised protection settings can cause either failure to clear faults (leading to equipment damage or fire) or spurious tripping (causing unnecessary outages).

PCM600 is deployed on engineering workstations in:

  • Electricity transmission and distribution substations
  • Industrial facilities with onsite generation or complex distribution
  • Utility company regional control centres where remote IED parameterization is performed

In larger utilities, PCM600 workstations may have network connectivity to the OT network for remote IED access, and in some deployments have historically had connections to corporate IT networks for project file sharing — a configuration that substantially increases the attack surface.

Vulnerability Technical Details

Advisory: ICSA-26-120-02
Affected product: ABB PCM600 (multiple versions prior to the patched release)
Vulnerability class: Arbitrary code execution via malicious message processing
Root cause: Vulnerable SharpZip.dll component — a .NET library for ZIP archive manipulation — processes attacker-supplied data without adequate validation. A maliciously crafted message triggers the vulnerable code path, resulting in arbitrary code execution in the context of the PCM600 process.
Authentication requirement: None required for the specific exploitation path documented in the advisory
CVSS score: Critical (score released with the advisory; consult CISA’s advisory page for current scoring)
Affected sectors: Critical Manufacturing, Energy worldwide

The SharpZip.dll vulnerability class is a serialization/deserialization issue — malformed archive data is processed by the decompression library in a way that allows control flow to be redirected. This vulnerability class has been reliably exploitable in .NET applications when untrusted input reaches the deserializer.

Exploitation Scenario

An attacker with network access to a PCM600 engineering workstation — or who can cause a PCM600 installation to process a maliciously crafted file (via a phishing email with an attachment, a compromised project file repository, or a malicious update package) — can achieve code execution on the engineering workstation.

From the engineering workstation, the subsequent attack paths include:

  • IED parameter manipulation: Using PCM600’s legitimate access to connected IEDs to modify protection settings (pickup values, trip times, zone boundaries). This can be done silently without triggering the same alarms that a network-based IED attack would generate, since the changes arrive via the authorized engineering channel.
  • Credential theft: Engineering workstations hold credentials for OT historian systems, SCADA HMIs, and in poorly segmented networks, Active Directory credentials that enable lateral movement into IT environments.
  • Persistent access: Dropping a backdoor on the engineering workstation provides long-dwell access to the OT environment through the most trusted access path — engineering tools are rarely monitored with the same scrutiny as IT workstations.
  • Lateral movement to other IEDs: PCM600 workstations are typically configured with access to all IEDs in a substation or region. Compromising one workstation provides access to the full IED estate that workstation manages.

Who Is Exposed

Deployment patterns that increase exposure risk:

  • PCM600 workstations with network connectivity beyond the local substation LAN
  • Shared engineering workstations used by both protection engineers and operations staff (broader credential exposure)
  • PCM600 installations that receive project files from external sources (contractors, equipment vendors) without verification
  • Environments where PCM600 is connected to corporate file shares for project storage

Deployment patterns that reduce exposure:

  • PCM600 on air-gapped engineering workstations with physical media as the only data transfer path
  • PCM600 on isolated OT VLANs with no routing to corporate IT or internet
  • Project file transfers via verified channels only (signed packages from ABB’s official update mechanism)

1. Apply the ABB patch immediately

ABB has released a patched version of PCM600. Engineering workstations running protection tools are not always included in standard enterprise patch management cycles — verify that the patch process reaches these systems specifically.

# Identify PCM600 installations on Windows (run from management workstation)
wmic /node:"<workstation-ip>" product where "name like '%PCM600%'" get name,version

Compare the identified version against ABB’s security advisory for the patched version number.

2. Isolate PCM600 workstations from general network access

If not already done:

[PCM600 Engineering Workstation] → [OT/Engineering VLAN only]
                                ↛ [Corporate IT network]
                                ↛ [Internet]

Engineering workstations that require IED access should have a specific, firewalled route to the IED VLAN — not general corporate network access. Any historical connectivity to corporate IT should be removed or gated through a DMZ with application-layer inspection.

3. Verify project file integrity before opening

Any PCM600 project file received from an external source — contractor, vendor, equipment supplier — represents a potential vehicle for delivering the malicious message that triggers exploitation. Implement a process for verifying project files before they are opened on PCM600 workstations:

  • Receive files via authenticated channels (vendor portal, verified email from known contacts)
  • Hash the file and verify with the sender before opening
  • Open files first in an isolated environment (VM without OT network access) if possible

4. Enable logging on engineering workstations

PCM600 workstations are frequently excluded from SIEM log collection because they are on OT networks. At minimum:

  • Enable Windows Event Log collection for process creation and network connections
  • Log all PCM600-initiated connections to IEDs (use OT-aware passive monitoring tools like Dragos Platform, Claroty, or Nozomi Networks if deployed)
  • Alert on any unusual process creation from the PCM600 process (it should not be spawning PowerShell or cmd.exe under normal operation)

5. Audit IED parameter changes after the advisory window

If there is any uncertainty about whether PCM600 workstations in your environment were exposed, audit protection relay parameters for any changes in the window between the vulnerability’s active exploitation period and patching. Protection engineers should compare current relay parameters against the last verified backup of IED configuration files.

Context: ABB IED Security in 2026

ABB has had multiple ICS security advisories for its product line in the 2026 cycle. ICSA-26-132-03 (ABB AC500 V3 PLC, authentication bypass allowing unauthenticated remote file read) was published in the same July 2 advisory batch. The breadth of ABB advisories across product lines reflects both the company’s market presence — ABB products are in a significant percentage of global electricity infrastructure — and the increased scrutiny of OT vendor security in the current regulatory environment.

For utilities with ABB-heavy OT estates, a systematic review of all active advisories against the installed version inventory is warranted. CISA’s ICS advisory page maintains a searchable database by vendor; filter for ABB to identify all outstanding advisory items across the product portfolio.

Tags
ABBPCM600ICSA-26-120-02CISAIEDprotection relayarbitrary code executionSharpZipenergycritical manufacturingOT security