The Environmental Systems Corporation (ESC) has published a series of recommendations organizations can follow to mitigate several data controller vulnerabilities.
On Thursday, the United States Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released an advisory for vulnerabilities in the ESC 832 Data Controller, a web-based SCADA system which is commonly deployed in the energy sector.
The first vulnerability (CVE-2016-4501) allows a remote attacker to bypass the authentication process and make unauthorized configuration changes to the device.
Attackers can use the second flaw (CVE-2016-4502) to gain access to certain functions that are otherwise not displayed to users by brute-forcing a parameter.
Independent security researcher Maxim Rupp first discovered the vulnerabilities, and researcher Balazs Makany reported the flaws to ESC over a year ago on February 18, 2015.
As ICS-CERT explains in its advisory, there is no fix for the flaws:
“ESC has stated the ESC 8832 Data Controller has no available code space to make any additional security patches; so, a firmware update is not possible. ESC has released an advisory that identifies compensating controls to reduce risk of exploitation of the reported vulnerabilities.”
Specifically, ESC recommends that system controllers upgrade the device, block Port 80 with a firewall, and educate users to not use the web interface for device management.
ICS-CERT urges organizations also minimize the devices’ network/Internet exposure, isolate the data controllers from the business network, and use VPNs when remote access is required.
For more information on these vulnerabilities, please click here.
The affected data controllers are used primarily in the United States. However, attackers are increasingly targeting SCADA systems located all over the world.
Around Christmas Eve in 2015, a group of attackers used a variant of BlackEnergy malware to cause a power outage in western Ukraine. ICS-CERT later confirmed that ‘cyber intrusions’ caused the power outages, but it stopped short of mentioning BlackEnergy malware attacks in particular.