Security Market Segment LS
Monday, 30 May 2016 22:41

A SCADA system that cannot be patched


ICS-CERT has advised of a vulnerable SCADA system currently in use that cannot be patched.

On February 18 2015, security researcher Maxim Rupp advised Environmental Systems Corporation (ESC) that their 8832 Data Controller was subject to two vulnerabilities.

According to the advisory there exist privilege management and authentication bypass issues. All models with version 3.02 and earlier are affected.

The first vulnerability would permit an attacker to gain admin access simply by forcing a parameter in the administration URL; the second gives the attacker the ability to modify the device's configuration.

The advisory states, "ESC has stated the ESC 8832 Data Controller has no available code space to make any additional security patches; so, a firmware update is not possible. ESC has released an advisory that identifies compensating controls to reduce risk of exploitation of the reported vulnerabilities."

Further, "ESC's recommendation for mitigation is to upgrade the device. Alternatively, block Port 80 with a firewall in front of the device. Another alternative is to educate operators and users to not use the web interface for device management, because there are other means to manage the device."

In other words, the vulnerability is easy to fix, but the patches cannot be applied as there isn't any free code-space to store them.

Just to compound the situation, exploit code is already available online.

The manufacturer of this device ceased making it in 2013 and support is due to expire on 1 January 2019, so users should already be seriously considering an upgrade to the newer ECS 8864 version.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.



Recent Comments