The Nova-Wind Turbine HMI – a human-machine interface for a wind turbine used in the energy sector – from Germany-based company RLE International GmbH contains a vulnerability that can be exploited remotely by an attacker to modify configurations and settings.
The issue – which was identified by independent researcher Maxim Rupp and was detailed in an ICS-CERT advisory – exists because the Nova-Wind Turbine HMI stores credentials in a plaintext file. If an attacker is able to recover the file, then they can authenticate to the HMI and perform any action on the device.
ICS-CERT made several attempts to contact RLE International GmbH, but the vendor did not respond in validating or addressing the issue, the advisory indicated. Because the vulnerability can be exploited remotely and with little skill, ICS-CERT urges users to ensure the device is not connected to the internet.
In comments emailed to SCMagazine.com on Friday, Tim Erlin, director of IT security and risk strategy at Tripwire, noted an upward trend in vulnerability disclosures for industrial control systems, particularly in the energy space, and added that energy generation, transmission and distribution companies will ultimately pay the price if these types of vulnerabilities remain unpatched.
“Increased scrutiny from the security industry, in combination with the introduction of more networked systems, has uncovered inherent flaws in design, implementation and code,” Erlin said. “This trend isn't likely to stop or slow down, as the vendors in the space seem to be playing catch up with more mainstream technology players around security.”