DHS Warns Thousands of Industrial Energy Systems Vulnerable to Remote Hacking
The Web interface to an Internet-connected device used by power-generation plants can be easily exploited, a DHS advisory states.
WASHINGTON – An Internet-connected industrial monitoring device oftentimes used in U.S. power plants and energy facilities is vulnerable to numerous security vulnerabilities, according to the Department of Homeland Security (DHS).
The Computer Emergency Readiness Team (CERT) posted an advisory that says the Environmental Systems Corp. (ESC) 8832 data controller, which allows a plant worker to see exactly how an industrial unit is working at a glance, could be easily exploited by a “low skilled” attacker.
“The device supports different accounts with distribution of system privileges. An attacker can gain access to functions, which are not displayed in the menu for the user by means of brute force of a parameter,” the advisory states.
That’s because the Internet-connected device has a Web interface, which hackers can easily exploit to gain greater access to the device than intended. In other words, an attacker could remotely perform administrative operations, which could be used to view or even change sensitive industrial system information.
Worst of all, the company that develops the technology said it can’t patch the vulnerabilities, because there is no code space to install a security patch, zdnet.com reports.
ESC, which developed the device, introduced the supervisory control and data acquisition (SCADA) system in 2001. The decade-old device was last sold in 2013 because, according to one of the device’s developers, the company couldn’t “get the parts.” That said, the company said it would support the device until the end of the decade, but pushed those who used the device to upgrade to the newer ESC 8864 data controller.
Zdnet.com reports there are thought to be more than 4,000 units in the field, according to a company newsletter dated late-2012.
The flaws were discovered by independent security researcher Maxim Rupp. ESC acknowledged that Balazs Makany reported the flaws last year. Makany later released the exploit code online last year, pushing the CERT advisory to raise the risk of the flaw being exploited to a top-tier severity.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Commercial Integrator + Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add to your bottom line.
A FREE subscription to the top resource for security and integration industry will prove to be invaluable.