OT and IoT cybersecurity firm SCADAfence has discovered potentially serious vulnerabilities in a widely used building management system made by Alerton, a brand of industrial giant Honeywell.
Four vulnerabilities have been discovered in the Alerton Compass software, which is the product’s Human Machine Interface (HMI), Ascent Control Module (ACM), and Visual Logic component. SCADAfence says this is the first time CVE identifiers have been assigned to vulnerabilities in Alerton products.
SCADAfence will soon publish a blog post detailing its findings. In the meantime, the company has issued a Press release which points to entries in the National Vulnerability Database providing technical information for each of the four security vulnerabilities.
The vulnerabilities, two of which have been classified as “high severity”, can be exploited by sending specially crafted packets to the targeted system. Unauthenticated remote attackers can make configuration changes or write unauthorized code on the controller, which can lead to changes in controller functionality. If an attacker writes malicious code to the controller, the victim will need to overwrite the program in order to restore original operational function.
The cybersecurity firm pointed out that malicious changes would not be reflected in the user interface, making it more likely that the attack would go unnoticed.
safety week used the Shodan search engine to search for Internet-exposed Alerton systems and found 240 results, the vast majority in the United States and a dozen in Canada. Most of the exposed systems are HMIs and controllers.
Yossi Reuven, Head of Security Research Team at SCADAfence, confirmed for safety week that exploiting vulnerabilities directly from the Internet is possible.
SCADAfence described several theoretical worst-case scenarios involving the exploitation of vulnerabilities.
Hackers could, for example, target a building’s management system to cause “catastrophic damage”, or they could alter temperatures in healthcare, pharmaceutical or food production facilities where maintaining certain temperatures is essential. Malicious actors could also remotely shut down ventilation systems, which could pose a safety risk in manufacturing facilities that work with hazardous chemicals.
SCADAfence says Honeywell is expected to release fixes soon. In the meantime, the cybersecurity firm has shared a series of recommendations for affected Alerton customers, including ensuring their OT network is isolated, properly configuring building automation system (BAS) firewalls , creating and maintaining basic ACM configurations, disabling BAS protocols on the external network. segments and disabling Ethernet on all ports where it is not needed.
safety week has contacted Honeywell for comment and will update this article if the company responds.
Threat actors targeting building management systems are not unknown. Kaspersky recently reported that Chinese hackers were using these types of systems as an infiltration point in an attack targeting a telecommunications company.
Related: Schneider Electric and Claroty Launch Cybersecurity Solution for Buildings
Related: Hackers Can Make Siemens Building Automation Controllers ‘Unavailable for Days’