Security Market Segment LS
Monday, 30 May 2016 22:41

A SCADA system that cannot be patched

By

ICS-CERT has advised of a vulnerable SCADA system currently in use that cannot be patched.

On February 18 2015, security researcher Maxim Rupp advised Environmental Systems Corporation (ESC) that their 8832 Data Controller was subject to two vulnerabilities.

According to the advisory there exist privilege management and authentication bypass issues. All models with version 3.02 and earlier are affected.

The first vulnerability would permit an attacker to gain admin access simply by forcing a parameter in the administration URL; the second gives the attacker the ability to modify the device's configuration.

The advisory states, "ESC has stated the ESC 8832 Data Controller has no available code space to make any additional security patches; so, a firmware update is not possible. ESC has released an advisory that identifies compensating controls to reduce risk of exploitation of the reported vulnerabilities."

Further, "ESC's recommendation for mitigation is to upgrade the device. Alternatively, block Port 80 with a firewall in front of the device. Another alternative is to educate operators and users to not use the web interface for device management, because there are other means to manage the device."

In other words, the vulnerability is easy to fix, but the patches cannot be applied as there isn't any free code-space to store them.

Just to compound the situation, exploit code is already available online.

The manufacturer of this device ceased making it in 2013 and support is due to expire on 1 January 2019, so users should already be seriously considering an upgrade to the newer ECS 8864 version.

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.

REGISTER HERE!

LAYER 1 ENCRYPTION A KEY TO CYBER-SECURITY SOLUTION

Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.

DOWNLOAD!

David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.

VENDOR NEWS & WEBINARS

REVIEWS

Recent Comments