Flaw leaves US energy systems open to attack

A data controller used by potentially thousands of US power plants is vulnerable to a serious security flaw that will not be patched, the Department of Homeland Security has warned.

The department's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a security advisory detailing the public availability of an exploit into the affected data controller.

The alert warns that the product, the 8832 Data Controller from Environmental Systems Corporation (ESC), can not be updated to address the flaw because no additional code space is available.

By taking advantage of the vulnerability, attackers are potentially able to bypass authentication and use the controller's web interface to gain action to functions that should be reserved for accounts with higher privileges by using brute force.

The vulnerabilities can be exploited remotely, and even an attacker with low skill would be able to exploit them, the advisory warns.

ZDNet reports that as of 2012, there were more than 4000 units of the affected controller in the field, mostly in the US.

ICS-CERT has rated the vulnerability a 7.5 using the Common Vulnerability Scoring System version 3 (CVSS v3), which uses a 10-point scale.

ESC is recommending that affected users upgrade the device to a newer version that does not share the vulnerability. While a patch will not be available, steps can be taken to reduce the risk, including minimising network exposure for all control systems and isolating control system networks.

Image courtesy of Kenneth Lu under CC