SCADAfence detects vulnerabilities in Alerton BMS devices, calls for isolation of OT networks

SCADAfence detects vulnerabilities in Alerton BMS devices, calls for isolation of OT networks

OT and IoT cybersecurity company SCADAfence disclosed on Thursday several security vulnerabilities on multiple industrial devices made by Alerton, a Honeywell subsidiary. In response, the NIST (National Institute of Standards and Technology) issued four CVEs for the Alerton disclosures, with the most serious of the vulnerabilities receiving a base score of 8.8, indicating that the agency believes it to be a very high-impact exposure in Alerton’s product.

SCADAfence said that the latest Common Vulnerabilities and Exposures (CVEs) affect the Ascent suite of products commonly used in industrial building management systems (BMS). “Left unhandled, these vulnerabilities could allow users with malicious intent to access Alerton’s controllers and make unauthorized configuration changes to BMS devices. The changes would not be reflected in the user interface, making them likely to go undetected,” the company added in a press statement.

“The vulnerabilities discovered by the SCADAfence research team could lead to a major cyber event if not patched,” Elad Ben-Meir, said in the statement. “SCADAfence reiterates its commitment to increasing the security posture of the world’s critical infrastructure and OT networks. These findings are only the latest contributions of our team of OT research experts, who continuously pentest the most commonly deployed devices and work with tier-one organizations to maintain OT network security.”

The Alerton Ascent BMS system offers smart building technology, delivering intuitive and powerful automation and management solutions for facilities of any size. It provides higher visibility and greater control with an intuitive solution that manages complex ecosystems. The product line comprises several hardware components, including the Ascent Control Module and Ascent Compass software used as the human/machine interface (HMI). Alerton has been a subsidiary of Honeywell since 2005.

SCADAfence determines two groups of significant vulnerabilities discovered by the company’s protocol research team. The first allows unauthenticated configuration changes to be made by a remote user, enabling configuration data to be stored on the controller and implemented. As a result, a user with malicious intent can send a crafted packet to change the controller configuration without the knowledge of the other users, altering the controller’s function.

The second group allows unauthenticated programming writes to be made by remote users, enabling code to be stored on the controller and then run without verification. For example, a user with malicious intent can send a crafted packet to change and/or stop the program without the knowledge of other users, altering the controller’s function. After the programming change, the program needs to be overwritten for the controller to restore its original operational function.

SCADAfence also said that any facility that deployed the Alerton Ascent BMS system could be vulnerable to attack by threat actors exploiting these weaknesses. Furthermore, an unlimited number of potentially dangerous scenarios could be caused by threat actors exploiting these vulnerabilities.

Some possibilities outlined by SCADAfence include 9/11-style hijackers attacking a facility’s BMS systems and causing catastrophic damage, though no airplane is needed. It also said that hackers could likely target an IVF clinic that stores human embryos at sub-zero temperatures and could experience an undetected rise in temperatures that would destroy the embryos. 

SCADAfence also assessed that pharmaceutical production facilities that require specific temperatures for manufacturing life-saving medications or vaccinations could have to throw out millions of doses. Additionally, server farms that house critical hardware could be caused to overheat, leading to the destruction of vital data could be breached. It also cautioned that any manufacturing facility that employs chemicals could have its ventilation system remotely shut down, leading to physical injury to workers. Lastly, the company determined that food production facilities that require consistent temperatures for food safety could unknowingly ship tainted products.

The probability of hackers remotely targeting ventilation systems may appear rare. Still, in May, industrial cybersecurity firm Nozomi Networks conducted a security analysis of the Siemens PXC4.E16, a building automation system of the Desigo/APOGEE family for HVAC and building service plants. Its researchers identified a vulnerability, tracked under Siemens SSA-626968 and CVE-2022-24040, caused by an improper implementation of the password-based key derivation mechanism for user accounts. It also could have been abused to perform a Denial-of-Service (DoS) attack against the controller.

SCADAfence advises organizations that deploy Alerton’s Ascent BMS to make sure their OT network is isolated in a bid to address these weaknesses and keep their organization safe. Additionally, their building automation system firewalls must be configured correctly, Access Control Manager (ACM) baseline configurations should be created and appropriately maintained. In contrast, the building automation system protocols are disabled on external network segments. 

Furthermore, Ethernet must be disabled on all ports that do not require BACnet/Ethernet. Finally, implementing a network monitoring tool is important to observe any access via the BACnet protocol or attempts to access devices and change any configurations.

Last month, Intelligent Buildings announced that Chinese-speaking hackers had targeted building automation systems across several Asian organizations to gain access to more secure areas of their networks. The hackers have been detected using Microsoft Exchange vulnerabilities known as ProxyLogon.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related