OTPulse

SAUTER Controls Nova 200 - 220 Series (PLC 6)

Plan PatchCVSS 9.8ICS-CERT ICSA-23-012-05Jan 12, 2023
Manufacturing
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The Nova 200-220 Series PLCs (including Nova 220 DDC, Nova 230 DDC, Nova 106 communication card, and moduNet300) contain two vulnerabilities in their BACnet communication stack: CWE-306 (missing authentication) and CWE-319 (cleartext transmission). An unauthenticated attacker with network access to the BACnet port can read sensitive configuration data and inject unauthorized control commands. SAUTER Controls discontinued this product line in 2016 and has not released patches. The vendor recommends users upgrade to current solutions and implement network-level protections.

What this means
What could happen
An attacker with network access to these legacy PLC controllers could obtain sensitive system information and execute arbitrary commands, potentially altering control logic, disrupting building climate or process automation, or stopping operations entirely.
Who's at risk
Manufacturing facilities and building automation operators using legacy SAUTER Controls Nova 200-220 series PLCs (Nova 220, Nova 230, Nova 106 communication cards, moduNet300) for HVAC, energy management, or process control. These devices are typically found in older commercial and industrial buildings and manufacturing plants that have not yet upgraded automation infrastructure.
How it could be exploited
An attacker on the same network segment (or with routing to the PLC) can send unauthenticated BACnet protocol messages to the Nova device. The weakness in credential handling and lack of encryption allows the attacker to read configuration and operational data, then inject commands to change setpoints or control states without proper authorization checks.
Prerequisites
  • Network access to BACnet port (typically UDP 47808)
  • No valid credentials required
  • PLC must be running vulnerable firmware version 3.3-006 or earlier with BACnet stack 4.2.1 or earlier
  • Device must have BACnet communication enabled
remotely exploitableno authentication requiredlow complexity attackno patch available (end-of-life product)affects process automation and safety-adjacent systemsaffects HVAC and building control
Exploitability
Unlikely to be exploited — EPSS score 0.3%
Affected products (4)
4 EOL
ProductAffected VersionsFix Status
Nova 200-220 Series (PLC 6): Nova 220 (EYK220F001) DDC with BACnet connection: Firmware≤ 3.3-006 (with ≤ bacnetstac 4.2.1)No fix (EOL)
Nova 200-220 Series (PLC 6): Nova 230 (EYK230F001) DDC with BACnet connection: Firmware≤ 3.3-006 (with ≤ bacnetstac 4.2.1)No fix (EOL)
Nova 200-220 Series (PLC 6): Nova 106 (EYK300F001) BACnet communication card: Firmware≤ 3.3-006 (with ≤ bacnetstac 4.2.1)No fix (EOL)
Nova 200-220 Series (PLC 6): moduNet300 (EY-AM300F001, EY-AM300F002): Firmware≤ 3.3-006 (with ≤ bacnetstac 4.2.1)No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/1
WORKAROUNDImplement a firewall rule to block all inbound BACnet traffic (UDP port 47808) to the PLC unless traffic originates from a known authorized engineering workstation or building management system
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGPerform a network scan to identify all Nova 200-220 and related devices in use, document their current location and function, and assess whether they can be decommissioned or replaced
Long-term hardening
0/1
HOTFIXUpgrade to a current SAUTER Controls building automation system; Nova 200-220 series was discontinued in 2016 and no patched firmware is available
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: Nova 200-220 Series (PLC 6): Nova 220 (EYK220F001) DDC with BACnet connection: Firmware, Nova 200-220 Series (PLC 6): Nova 230 (EYK230F001) DDC with BACnet connection: Firmware, Nova 200-220 Series (PLC 6): Nova 106 (EYK300F001) BACnet communication card: Firmware, Nova 200-220 Series (PLC 6): moduNet300 (EY-AM300F001, EY-AM300F002): Firmware. Apply the following compensating controls:
HARDENINGIsolate the building automation network (containing the Nova PLC) from the corporate/business network using a firewall or network switch VLAN to prevent lateral movement from IT systems
HARDENINGIf remote access to the Nova PLC is required, implement a VPN gateway in front of the device and restrict access by IP address; regularly update VPN firmware and credentials
View full CISA ICS-CERT advisory
API: /api/v1/advisories/496d17e9-e82d-4ca5-b057-184ecf7e4c21

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

SAUTER Controls Nova 200 - 220 Series (PLC 6) | CVSS 9.8 - OTPulse