SCADAfence Discovers Vulnerabilities In Widely Deployed BMS Devices

NIST Issues 4 CVE’s Resulting From SCADAfence’s Findings

SCADAfence, the global technology leader in OT & IoT cyber security, today announced that their cyber security research team has discovered major vulnerabilities on multiple industrial devices that have no previous CVEs.

In response, NIST has issued the first-ever CVEs for Alerton, a subsidiary of Honeywell. The most serious of the vulnerabilities received a base score of 8.8, indicating that NIST believes it to be a very high-impact exposure in Alerton’s product.

The new CVEs affect the Ascent suite of products commonly used in industrial Building Management System (BMS). Left unhandled, these vulnerabilities could allow users with malicious intent to access Alerton’s controllers and make unauthorized configuration changes to BMS devices. The changes would not be reflected in the user interface, making them likely to go undetected.

“The vulnerabilities discovered by the SCADAfence research team could lead to a major cyber event if not patched,” said SCADAfence CEO Elad Ben-Meir. “SCADAfence reiterates its commitment to increasing the security posture of the world’s critical infrastructure and OT networks. These findings are only the latest contributions of our team of OT research experts, who continuously pentest the most commonly deployed devices and work with tier-one organizations to maintain OT network security.”

The Alerton Ascent BMS system dates back to 2014, and comprises several hardware components including the Ascent Control Module,and the Ascent Compass software which is used as the Human/Machine Interface (HMI). Alerton has been a subsidiary of The Honeywell Corporation since 2005.

Any facility that has deployed the Ascent BMS system could be vulnerable to attack by threat actors exploiting these weaknesses.

There are an unlimited number of potentially dangerous scenarios that could be caused by threat actors exploiting these vulnerabilities.

 Some possibilities include –

  • 9/11 style hijackers attack a building’s BMS systems and cause catastrophic damage. No airplane needed.
  • An IVF clinic that stores human embryos at sub-zero temperatures could experience an undetected rise in temperatures that would result in the destruction of the embryos.
  • Pharmaceutical production facilities that require specific temperatures for manufacturing life-saving medications or vaccinations could have to throw out millions of doses.
  • Server farms that house critical hardware could be caused to overheat, leading to the destruction of vital data.
  • Any manufacturing facility that employs chemicals could have their ventilation system remotely shut down, leading to physical injury to workers.
  • Food production facilities that require consistent temperatures for food safety, could unknowingly ship tainted products.
  • There were two groups of major vulnerabilities discovered by SCADAfence’s protocol research team that led NIST to issue the new CVEs.

The first allows unauthenticated configuration changes to be made by a remote user. This enables configuration data to be stored on the controller and then implemented. A user with malicious intent can send a crafted packet to change the controller configuration without the knowledge of the other users, altering the controller’s function capabilities.

The second allows unauthenticated programming writes to be made by remote users. This enables code to be stored on the controller and then run without verification. A user with malicious intent can send a crafted packet to change and/or stop the program without the knowledge of other users, altering the controller’s function. After the programming change, the program needs to be overwritten in order for the controller to restore its original operational function.

Full details on the newly issued CVEs can be found on the official NIST website.

To address these weaknesses and keep their organization safe, SCADAfence advises anyone who has deployed Alerton’s Ascent BMS to make sure their OT network is isolated, BAS firewalls are configured properly, ACM baseline configurations are created and maintained, BAS protocols are disabled on external network segments and that Ethernet is disabled on all ports that do not require BACnet/Ethernet. Additionally, it is important to implement a network monitoring tool to observe any access via the BACnet protocol or attempts to access devices and change any configurations.

Visit AITechPark for cutting-edge Tech Trends around AI, ML, Cybersecurity, along with AITech News, and timely updates from industry professionals!

Related posts

Everactive Appoints CFO to Support Continued Commercial Growth

Business Wire

Treon closes 5.5 M€ Series A with Ventech as it expands into US

PR Newswire

WeBank Names RAKwireless CEO, Ken Yu, as a “Top 10 Startup CEO”

PR Newswire