Industrial Control Systems (ICS) have long been enticing targets for cybercriminals, as they hit the attack criteria trifecta: They are often deployed in highly sensitive and critical environments, they run on legacy operating systems, and they are often outside the purview of organizational patch management and vulnerability assessment policies. For these reasons, McAfee Advanced Threat Research (ATR) chose to investigate a broadly utilized building controller.
As part of this research, our team found a critical vulnerability in the “enteliBUS Manager,” an industrial control system produced by Delta Controls, which is used to centrally manage building systems including HVAC, building access controls, pressure rooms, boilers, pumps and more across a range of industries including telecommunications, education, healthcare and government. These types of devices are increasingly popular with building management because they help better manage resources like time and energy through automation.
The controller offers users clear benefits. Various building systems can be controlled from one central unit, giving users the ability to pressurize an operating room in a hospital or adjust the cooling components within the A/C system based on thermostat readings. But with this simplicity comes a critical flaw: A single point of failure creates a vulnerability across the entire network.
We found that malicious actors could infiltrate a targeted system without any previous knowledge of the device’s configuration or even its intended industry application. To complicate the issue even further, the devices are hackable over the internet with no authentication, meaning systems can be fully compromised and controlled covertly and remotely.
The zero-day vulnerability could allow hackers to gain complete control over building systems, putting individuals and infrastructure at risk. Take a hospital, for example: With access to the Delta Controls device, an attacker could eliminate the positive pressure in an operating room, facilitating the spread of airborne disease.
Keeping with McAfee’s responsible disclosure program, we reached out to Delta Controls as soon as we discovered the vulnerability. Working in partnership with our team, Delta developed an effective patch to the vulnerability, which is now available to all users. It’s worth noting that a general lack of security awareness or urgency in this space may mean hundreds of these devices remain unpatched. Whether network or Internet-connected, we urge Delta Control’s customers to patch devices in a timely manner.
The reality is that in the world of cyberthreats, the biggest attack implications are often connected to the most subtle details. A change in the air pressure of a specific hospital room or the way door locking mechanisms or HVAC systems are controlled can respectively trigger airborne illness, trap employees or shut down major data centers. The potential dangers of a seemingly simple vulnerability like this should not go unnoticed and should be remediated immediately.
Steve Povolny serves as the Head of Advanced Threat Research within McAfee. Steve started his career working in network security at Target Corporation, where he developed his first passion for all things security, leading penetration testing and internal forensics. After several years, he transitioned to TippingPoint, now a division of Trend Micro, and spent several years as a security researcher, learning a combination of offensive and defensive security. Steve discovered his true passion was developing and leading world-class teams of highly capable and uniquely innovative security researchers – he brings that passion to McAfee along with his vision for ATR as one of the world’s most trusted and capable security research organizations.
Douglas McKee is a Senior Security Researcher for the McAfee Advanced Threat Research team, focused on finding new vulnerabilities in both software and hardware. Douglas has an extensive background in penetration testing, reverse engineering, malware analysis and forensics and throughout his career has provided software exploitation training to many audiences, including law enforcement.