DHS Issues Warning That Says Thousands Of Industrial Energy Systems Can Be Hacked Remotely
(Cyberwar.news) The Department of Homeland Security has issued a warning stating that an Internet-connected industrial monitoring device, which is typically used in U.S. industrial power plants and energy facilities, is vulnerable to remote hacking.
As reported by ZDNet, DHS’ Computer Emergency Readiness Team, or CERT, has posted an advisorystating that the ESC 8832 data controller, which allows a plant worker to see exactly how an industrial unit is working at a glance, could be trivially exploited by a “low skilled” attacker.
“The device supports different accounts with distribution of system privileges. An attacker can gain access to functions, which are not displayed in the menu for the user by means of brute force of a parameter,” said the advisory.
“Independent researcher Maxim Rupp has identified data controller vulnerabilities in the Environmental Systems Corporation (ESC) 8832 Data Controller. ESC acknowledged that Balazs Makany reported these vulnerabilities on February 18, 2015,” the advisory continued. “ESC has stated the ESC 8832 Data Controller has no available code space to make any additional security patches; so, a firmware update is not possible. ESC has released an advisory that identifies compensating controls to reduce risk of exploitation of the reported vulnerabilities.”
Because the Internet-connected device has a Web interface, that makes it vulnerable to hackers who can easily exploit it to gain greater access to systems than intended. As ZDNet noted futher:
In other words, an attacker could remotely perform administrative operations, which could be used to view or even change sensitive industrial system information.
Worst of all, the company that develops the technology said it can’t patch the vulnerabilities, because there is no code space to install a security patch.
ESC, which developed the device, introduced the supervisory control and data acquisition (SCADA) system in 2001. The decade-old device was last sold in 2013 because, according to one of the device’s developers, the company couldn’t “get the parts.”
Officials believe that more than 4,000 of these units are still in use, according to a company newsletter dated late 2012.
“ESC’s recommendation for mitigation is to upgrade the device. Alternatively, block Port 80 with a firewall in front of the device. Another alternative is to educate operators and users to not use the web interface for device management, because there are other means to manage the device,” DHS’ advisory noted.
Access to American power stations via the Internet has been a major concern for U.S. officials. Cybersecurity experts say that hacking now poses the greatest threat to the U.S. power grid which, if attacked, would result in widespread power outages that could last for months, creating panic and social chaos.