Zeroday vulnerability announced byMcAfee at Defcon

At DEFCON, McAfee has announced the discovery of a zero-day vulnerability in a commonly used Delta industrial control system.

The vulnerability found in the Delta enteliBUS Manager could allow malicious actors complete control of the operating system, enabling remote manipulation of access control systems, boiler rooms, temperature control for critical systems and more. This backdoor was caused by a buffer overflow vulnerability, or a mismatch in the memory sizes used to handle incoming network data.

This news come on the back of yesterday’s announcement of a 10-year-old remote-code-execution vulnerability found in a popular Avaya desk phone (more here). Both the Delta and Avaya vulnerability discoveries prove that backdoors for bad actors to enter sensitive industrial and corporate environments are wide-ranging, and easy to miss. As more and more devices are connected to the internet, businesses, manufacturers and end users must be increasingly vigilant.

Steve Povolny, Head of McAfee Advanced Threat Research

In the world of cyberthreats, the biggest attack implications are often connected to the subtle details; a change in the air pressure of a specific hospital room or the way door locks or HVAC systems are controlled can respectively trigger airborne illness, entrap people or shut down major data centers if compromised.

While the potential for a physically devastating cyberattack through exploitation of this vulnerability is certainly there, realistically, the most likely threat vector is that which would be most lucrative for a cybercriminal. For example, deploying a ransomware attack through the exploitation of this unique vulnerability would be highly effective against unpatched systems. Unfortunately, there are examples of victimized businesses in critical positions, such as hospitals, that have had to make the difficult decision to pay a ransom to keep human lives out of jeopardy.

Industrial Control Systems have long been enticing targets for cybercriminals, as they hit the attack criteria trifecta: they are often deployed in highly sensitive and critical environments, run on legacy operating systems, and are outside the purview of organizational patch management and vulnerability assessment policies. Further, there is very little regulation around security breaches for industrial controls, so many attacks go both unnoticed and unreported, lending to a false sense of security and lack of understanding of the problem. This is a primary reason McAfee Advanced Threat Research practices responsible disclosure; by providing vendors with the insight to vulnerabilities they would likely never find internally, we can leverage the power of vendor and researcher collaboration to provide effective solutions, while educating the industry as a whole and collectively raising the bar for the adversary.

Delta Controls Inc.

With the growth in business around IoT, open connectivity, open hardware and open software platforms, hardening systems around cybersecurity and data privacy is becoming an integral part of an organization's processes.  As a global manufacturer of control systems, we understand the risks that our products could face in a building management system and as building systems become more connected, the risk increases.

At Delta Controls Inc. we have established formal processes around this need to manage security risks. We are working with McAfee’s Advanced Threat Research team, one of the world's global leaders in cybersecurity threat research and threat intelligence, to help improve the security of our products from vulnerabilities.  McAfee’s research has been invaluable and shown excellent results.  Delta Controls Inc. also continues to work closely with industry experts to ensure that our products and processes are developed using current best practices.

At Delta Controls Inc. we believe communications is critical to our cybersecurity program.  We encourage research groups to responsibly disclose vulnerabilities to our team.  Likewise, Delta Controls Inc. is committed to regularly communicating cybersecurity information to our customers and our industry.  These processes are important in our effort to broaden the understanding of the threats our products could be subjected to and the steps we all need to take to ensure secure systems. Our program includes a security center for our System Integrators and customers, gap and hardening analysis for our products and business, and an ongoing commitment to developing products that encourage secure networks.