WASHINGTON – An Internet-connected industrial monitoring device oftentimes used in U.S. power plants and energy facilities is vulnerable to numerous security vulnerabilities, according to the Department of Homeland Security (DHS).
The Computer Emergency Readiness Team (CERT) posted an advisory that says the Environmental Systems Corp. (ESC) 8832 data controller, which allows a plant worker to see exactly how an industrial unit is working at a glance, could be easily exploited by a “low skilled” attacker.
“The device supports different accounts with distribution of system privileges. An attacker can gain access to functions, which are not displayed in the menu for the user by means of brute force of a parameter,” the advisory states.
That’s because the Internet-connected device has a Web interface, which hackers can easily exploit to gain greater access to the device than intended. In other words, an attacker could remotely perform administrative operations, which could be used to view or even change sensitive industrial system information.
Worst of all, the company that develops the technology said it can’t patch the vulnerabilities, because there is no code space to install a security patch, zdnet.com reports.
ESC, which developed the device, introduced the supervisory control and data acquisition (SCADA) system in 2001. The decade-old device was last sold in 2013 because, according to one of the device’s developers, the company couldn’t “get the parts.” That said, the company said it would support the device until the end of the decade, but pushed those who used the device to upgrade to the newer ESC 8864 data controller.
Zdnet.com reports there are thought to be more than 4,000 units in the field, according to a company newsletter dated late-2012.
The flaws were discovered by independent security researcher Maxim Rupp. ESC acknowledged that Balazs Makany reported the flaws last year. Makany later released the exploit code online last year, pushing the CERT advisory to raise the risk of the flaw being exploited to a top-tier severity.
