Security Experts:

OT Security Firm Warns of Safety Risks Posed by Alerton Building System Vulnerabilities

OT and IoT cybersecurity company SCADAfence has discovered potentially serious vulnerabilities in a widely used building management system made by Alerton, a brand of industrial giant Honeywell.

Four vulnerabilities have been found in the Alerton Compass software, which is the product’s human-machine interface (HMI), the Ascent Control Module (ACM), and the Visual Logic component. SCADAfence says this is the first time CVE identifiers have been assigned to vulnerabilities in Alerton products.

SCADAfence will soon publish a blog post detailing its findings. In the meantime, the company has issued a press release that points to National Vulnerability Database entries providing some technical information for each of the four security holes.

The vulnerabilities, two of which have been rated ‘high severity’, can be exploited by sending specially crafted packets to the targeted system. Remote, unauthenticated attackers can make configuration changes or write unauthorized code on the controller, both of which can lead to changes in the controller’s functionality. If an attacker writes malicious code on the controller, the victim will need to overwrite the program in order to restore the original operational function.

The cybersecurity firm pointed out that the malicious changes would not be reflected in the user interface, making it more likely for the attack to go unnoticed.

SecurityWeek has used the Shodan search engine to look for internet-exposed Alerton systems and found 240 results, a wide majority in the United States and a dozen in Canada. Most of the exposed systems are HMIs and controllers.

Yossi Reuven, security research team lead at SCADAfence, confirmed for SecurityWeek that exploitation of the vulnerabilities directly from the internet is possible.

SCADAfence has described several theoretical worst-case scenarios involving exploitation of the vulnerabilities.

Hackers could, for instance, target a building’s management system to cause ‘catastrophic damage’, or they could tamper with temperatures in healthcare, pharmaceutical or food production facilities where maintaining certain temperatures is critical. Malicious actors could also remotely shut down ventilation systems, which could pose a safety risk in manufacturing facilities that work with dangerous chemicals.

SCADAfence says Honeywell is expected to release patches soon. In the meantime, the cybersecurity firm has shared a series of recommendations for impacted Alerton customers, including ensuring that their OT network is isolated, properly configuring building automation system (BAS) firewalls, creating and maintaining ACM baseline configurations, disabling BAS protocols on external network segments, and disabling Ethernet on all ports where it’s not needed.

SecurityWeek has reached out to Honeywell for comment and will update this article if the company responds. 

Threat actors targeting building management systems is not unheard of. Kaspersky reported recently that Chinese hackers used these types of systems as a point of infiltration in an attack aimed at a telecoms company.

UPDATE: Honeywell has provided the following statement:

Security is a top priority at Honeywell, and we are committed to taking all appropriate measures to ensure the highest integrity of our products and services. We are aware of the findings presented by SCADAfence, which did not take into consideration guidance in the Alerton ACM Dealer and End User Security Guides that we shared with them. We have encouraged our Alerton customers to follow our published security guidelines, review their current configuration and make any necessary updates.

UPDATE 2: SCADAfence has published a technical blog post describing the vulnerabilities.

Related: Schneider Electric, Claroty Launch Cybersecurity Solution for Buildings

Related: Hackers Can Make Siemens Building Automation Controllers 'Unavailable for Days'

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.