OTPulse
FeedAboutContact

RLE Nova-Wind Turbine HMI Unsecure Credentials Vulnerability (Update A)

Low RiskICS-CERT ICSA-15-162-01AMar 14, 2015
Summary

Nova-Wind Turbine HMI contains hardcoded or default credentials that lack adequate security controls. The vulnerability is present in all versions of the product. An attacker with network access to the HMI could log in using these weak credentials and gain control of the turbine interface. The vendor has not provided a patch for this issue.

What this means
What could happen
An attacker with access to the Nova-Wind Turbine HMI could log in using hardcoded or weak default credentials and gain control of the turbine interface, potentially allowing them to modify operational parameters, disable safety interlocks, or shut down the turbine.
Who's at risk
Wind energy operators running RLE Nova-Wind Turbine HMI systems, particularly those in manufacturing and renewable energy sectors where turbines are remotely monitored or controlled via networked interfaces.
How it could be exploited
An attacker on the same network as the HMI could attempt to log in using default or hardcoded credentials discovered in documentation or through common credential databases. Once authenticated, the attacker has full access to the HMI control interface and can issue commands to the turbine.
Prerequisites
  • Network access to the Nova-Wind Turbine HMI interface
  • Knowledge of default or hardcoded credentials for the HMI
  • Access to the same network segment as the HMI or exposed remote access interface
Unsecured credentials (default or hardcoded)No patch availableAffects control interface with potential impact on safety and operations
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (1)
ProductAffected VersionsFix Status
Nova-Wind Turbine HMI: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGImmediately change all default credentials on the Nova-Wind Turbine HMI to unique, complex passwords and document the new credentials securely
WORKAROUNDRestrict network access to the HMI using firewall rules or network segmentation—allow only authorized engineering workstations and SCADA servers to reach the HMI interface
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor access logs to the HMI for failed login attempts and unauthorized access patterns
Mitigations - no patch available
0/1
Nova-Wind Turbine HMI: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate turbine control systems from untrusted networks and the internet
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/0a7c9f3d-b35d-4c6e-afc1-73ceb586a894
RLE Nova-Wind Turbine HMI Unsecure Credentials Vulnerability (Update A) - OTPulse