Emerson ROC800, ROC800L and DL8000

Monitor6.3ICS-CERT ICSA-22-223-04Aug 11, 2022

Attack VectorLocal

Auth RequiredHigh

ComplexityHigh

User InteractionRequired

Summary

Vulnerability in Emerson ROC800, ROC800L, and DL8000 remote operations controllers allows file manipulation through insufficient access controls. The vulnerability requires local access, high privileges, and user interaction. No public exploits are known. Emerson recommends following the Secure Gateway guidance in the ROC800-Series Instruction Manual section 1.11.

What this means

What could happen

An attacker with local physical access, elevated privileges, and ability to trigger user interaction on a ROC800/DL8000 device could manipulate files, potentially affecting process configuration or historical data integrity at water treatment or power facilities.

Who's at risk

Water utilities and municipal electric utilities operating Emerson ROC800, ROC800L, or DL8000 remote operations controllers should assess exposure. These devices are commonly used for supervisory control of SCADA networks, pumping systems, and distribution equipment. Impact is highest for facilities where configuration integrity and audit trails are critical for compliance or operational safety.

How it could be exploited

An attacker must gain local console or workstation access to the device, obtain or be granted high-level credentials (engineering/maintenance privileges), and trick a user into performing an action that triggers the vulnerability. The attacker then manipulates files on the device, which could alter process configurations or audit logs.

Prerequisites

Physical or local network access to the ROC800/ROC800L/DL8000 device console or engineering workstation
High-level user privileges (engineering or administrator credentials)
User interaction required (ability to trigger user action on the device)
Non-standard or misconfigured access controls on the device

no patch availableaffects configuration management on control devicesrequires high privileges and local access (reduces risk)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

ROC800: All versionsAll versionsNo fix (EOL)

ROC800L: All versionsAll versionsNo fix (EOL)

DL8000: All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HARDENINGImplement the Secure Gateway access control procedures outlined in ROC800-Series Remote Operations Controller Instruction Manual section 1.11 (D301766X012)

HARDENINGIsolate ROC800/ROC800L/DL8000 devices from the business network using firewall rules; do not expose to the Internet

HARDENINGRestrict local access to ROC800/ROC800L/DL8000 consoles and engineering workstations; implement physical access controls and multi-factor authentication where available

HARDENINGMonitor and log all file access and modification events on ROC800/ROC800L/DL8000 devices; review logs regularly for unauthorized changes

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: ROC800: All versions, ROC800L: All versions, DL8000: All versions. Apply the following compensating controls:

HARDENINGUse VPNs with current security updates if remote engineering access to ROC devices is required; segment VPN users from production control network

CVEs (1)

CVE-2022-30264

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/805db975-52ce-4341-a709-42b8855d3e98