Emerson DeltaV Distributed Control System

Monitor6.1ICS-CERT ICSA-19-190-01Jul 9, 2019

Attack VectorAdjacent

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in Emerson DeltaV Smart Switch authentication allows an attacker with high-level administrative or engineering credentials on the DeltaV network to gain unauthorized administrative access to the switches. The vulnerability is rooted in insecure credential handling (CWE-798). Exploitation requires local or adjacent network access and cannot be performed remotely. Successful exploitation could allow an attacker to modify process control logic, alter setpoints, or disrupt normal operations of the DeltaV DCS. Affected versions include DeltaV DCS 11.3.x and 12.3.x.

What this means

What could happen

An attacker with high-level administrative or engineering access could gain full administrative control of DeltaV Smart Switches, potentially enabling unauthorized modification of process control logic, setpoints, and system configurations that could disrupt plant operations.

Who's at risk

Water authorities and electric utilities using Emerson DeltaV Distributed Control System versions 11.3.x or 12.3.x are affected. This impacts operators of critical process control infrastructure that relies on DeltaV Smart Switches for automation and monitoring. Engineering staff and system administrators managing DeltaV systems need to apply controls immediately.

How it could be exploited

An attacker with high-privilege credentials (engineering or administrative account) on the DeltaV network could exploit hardcoded or embedded credentials in the Smart Switch authentication mechanism to escalate to administrative access on the switches themselves. The attack requires local or adjacent network access; it cannot be performed remotely over the Internet.

Prerequisites

High-privilege user credentials (engineering or administrator account) on the DeltaV system
Network access to the DeltaV control network where Smart Switches are connected
Local or adjacent network position; not remotely exploitable from the Internet

Default or embedded credentialsHigh privileges required for exploitationNo public exploits availableNot remotely exploitableNo patch available for affected versions

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (2)

2 pending

ProductAffected VersionsFix Status

DeltaV DCS: 12.3.x12.3.xNo fix yet

DeltaV DCS: 11.3.x11.3.xNo fix yet

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict network access to DeltaV Smart Switches to authorized engineering and operations staff only; implement firewall rules to prevent access from the business network

HARDENINGReview and enforce strong access controls for high-privilege accounts (engineering and administrative) on DeltaV systems; audit credential management practices

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply vendor patch from Emerson Guardian Support Portal (article DSN19003, KBA# NK-1900-0808) when available and a maintenance window can be scheduled

Long-term hardening

0/2

HARDENINGSegment the DeltaV control network from the business network using a firewall or air-gap to prevent lateral movement from compromised business systems

HARDENINGDeploy DeltaV systems and Smart Switches according to Emerson's DeltaV Security Manual, available in the Guardian Support Portal

CVEs (1)

CVE-2018-11691

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/910adf36-880e-4157-b0c5-2fb07bcfa2a4