Experts have warned IT leaders for years that operational technology (OT) devices connected to the internet can have serious vulnerabilities that lead to network compromises. Tuesday, a security company disclosed the discovery of 10 holes in controllers from heating, cooling, and refrigeration system manufacturer Copeland LP that could allow a threat actor to disable or gain remote control of equipment, possibly damaging products and injuring people.
Armis called the vulnerabilities in Copeland’s E2 and E3 controllers “Frostbyte10”. Its report was issued after Copeland released updated firmware version 2.31F01 for the devices, correcting the issues, which CSOs should ensure are promptly installed.
The vulnerabilities, Armis said, “represented a potential high value target for attackers seeking to disrupt or ransom retail infrastructure providers.”
Move toward zero trust
“The flaws discovered could have allowed unauthorized actors to remotely manipulate parameters, disable systems, execute remote code, or gain unauthorized access to sensitive operational data. When combined and exploited, these vulnerabilities can result in unauthenticated remote code execution with root privileges,” the report said.
But perhaps the bigger news is the cause of one hole in the E3 firmware: a default admin user, “ONEDAY”, with a daily generated password that, in an unpatched system, can be predictably generated by a threat actor (the bug is designated CVE-2025-6519). Default admin users and passwords are the bane of any OT or IT system. CSO recently reported on a default password issue with Brother printers.
Other E3 vulnerabilities can allow a threat actor to authenticate by obtaining only a password hash, or to get all usernames and password hashes for the application services through an API call, or to access any file by uploading a specially crafted building floor plan.
The vulnerability in E2 controllers is through the use of a proprietary protocol that allows for unauthenticated file operations (CVE-2025-52551).
“Guessable or predictable passwords embedded in OT devices are common,” Robert Beggs, head of Canadian incident response firm Digital Defence, said in an email to CSO. “Persons responsible for the management of OT devices are focused on production and reliability of service, not security. As a result, you frequently encounter OT devices that are insecure.”
To ensure security, organizations have to move towards a zero trust architecture for deploying OT devices, Beggs said. That includes verifying user identity, enforcing multifactor authentication, supporting role-based access, and ensuring that all access to devices are securely monitored and logged.
Related content: CISOs struggle to implement zero trust
Asked for comment on the Armis report, Copeland sent a statement to CSO saying that safeguarding the quality and security of the company’s products and customers’ applications “is our top priority. Our E2 and E3 controllers have provided reliable service for more than two decades to hundreds of companies and across essential industries such as food retail, refrigeration, industrial processing, and cold storage. We actively partner with the global cybersecurity community to help us continue to improve our products and advance industrywide standards as cybersecurity environments and threats continue to evolve and expand,” the company said.
“Upon being notified of potential E2 and E3 vulnerabilities, Copeland engineers acted immediately to swiftly address potential issues and ensure our customers’ systems remained secure, while maintaining transparent communication with all potentially affected customers,” Copeland continued. “At this time, there are no known exploits of the potential vulnerabilities. We strongly encourage our customers to apply the available patches promptly to ensure continued security.”
‘Expected shortcomings’
The E2 Facility Management System is designed to provide complete control of building and refrigeration systems, including compressor groups, condensers, walk-ins, HVAC units, and lighting, Copeland said.
The newer E3 system adds a built-in touch-screen display with a web-accessible interface and integration with Copeland’s supervisory control software. The E3 system replaces the E2, which went end-of-life in October, 2024. However, some organizations may still be using E2 systems, and the use of an unauthenticated proprietary protocol in E2 controllers permits sensitive operations without any form of identity verification or encryption. “These are not just coding oversights,” says Armis, “they represent structural risks that can persist in OT environments for years.”
The findings by Armis aren’t uncommon, said Beggs. “In fact,” he added, “they might fall under the umbrella of ‘expected shortcomings.’ Until the most recent past, [OT] devices were judged primarily on whether or not they worked, and performed expected tasks. They were not expected to provide secure functionality, and there was no reward or penalty for an insecure device.”
Demand secure OT devices
Because of this, Beggs warned, “if organizations don’t demand secure devices, they will not be provided by the vendor.”
Related content: Navigating the future of OT security
There have been changes lately in OT cybersecurity, he added, because customers are recognizing the security risks associated with internet-connected devices. But, he said, the changed perspective has to be matched by real changes in how OT devices are acquired and managed.
First, he said, there has to be a requirement or client demand for secure operations. Second, the schism between IT and OT management has to be resolved. “It is completely typical to be asked to do a penetration test of the wired and wireless networks, and then be told to ignore the OT devices because they are managed by a different department,” he said.
Network tools (cybersecurity intelligence, automated inventory, security configuration and management, patching, reporting) have to include OT networks as well as the more common IT networks, Beggs stressed. And incident response processes have to embrace the OT network.
“Presently, the OT network is treated so differently from the IT network that security processes are rare,” he said. “Where they do exist, they are usually a duplicate of what is being offered on the IT network, increasing the cost and complexity of management. Overcoming the ‘great schism’ will reduce costs and potential liability for all users.”
No Responses