This post is also available in: עברית (Hebrew)
The US Department of Homeland security has issued a warning the thousands of industrial energy systems can be remotely hacked. These internet-connected systems rely on a remote monitoring device, which is often used in energy facilities, that is dangerously susceptible to multiple security vulnerabilities, the department’s Emergency Readiness Team (CERT) said.
The ESC 8832 data controller allows personnel to accurately monitor industrial units from afar, but can be hacked by a “low skilled” attacker with little trouble, warned CERT.
“The device supports different accounts with distribution of system privileges. An attacker can gain access to functions, which are not displayed in the menu for the user by means of brute force of a parameter,” reads CERT’s advisory.
The issues with the device come from its web interface, which the department says can be easily exploited to gain elevated privileges to the device. This could allow an attacker to gain administrative rights, which could be used to change sensitive settings and information.
The unit was introduced by ESC in 2001, with the last module being sold in 2013 when the company ceased production. ESC said it would provide support to the device until the end of the decade, but pushed “those who used the device to upgrade to the newer ESC 8864 data controller,” ZDNet reports.
According to a 2012 company newsletter, more than 4,000 of the vulnerable devices are used across the US. This present a tremendous risk to the American electrical infrastructure, as a determined attacker could conceivably exploit thousands of units to absolutely shatter the grid.
ZDNet reports that ESC did not respond to requests for comment.