Just a few years ago, it might have sounded like a premise out of some big-budget spy movie: cyber thieves hacking into commercial building and refrigeration systems to disrupt the global food supply chain. Today, that scenario no longer seems so farfetched.

Copeland LP, a manufacturer of controls and monitoring systems for the cold chain, found out just how likely that was, when it hired cybersecurity specialist Armis Labs to look into the vulnerability of its E2 and E3 controllers for facility management and supervisory control, respectively.

Copeland asked Armis to issue a common vulnerabilities and exposure (CVE) report on the equipment, and submit it to the Cybersecurity and Infrastructure Security Agency (CISA), a branch of U.S. Homeland Security. Armis delivered: It uncovered a total of 10 flaws in the controllers — dubbing them the Frostbyte 10 — that would have allowed bad actors to remotely execute code, manipulate temperatures, spoil food and medicines, and even gain access to wider networked environments. “Every company needs some way to remotely connect devices, when they need to help a customer install things,” explains Shaul Garbuz, network researcher with Armis Labs.

Copeland sells control systems to some of the nation’s largest retailers and supermarkets. Armis’s initial goal, Garbuz says, wasn’t to smoke out vulnerabilities in the controllers. It was to identify all of the devices that connect to a network. “We’ve done routine work on some very large customers that use Copeland controllers,” he says. “We wanted to inspect the traffic — see if there were any active querying abilities.”

The first “red flag” occurred when Armis was testing the web user interface in a controller and used an incorrect command, causing the device to crash. That led to the broader discovery that became the Frostbyte 10.

The E2 controller, an older device that’s now at its end-of-support stage, contained a proprietary protocol that would have allowed access to the system without the need for protective identity verification or encryption. “These are not just coding oversights,” Armis commented in the wake of the revelations. “They represent structural risks that can persist in OT [operational technology] environments for years.”

The remaining nine vulnerabilities making up the Frostbyte 10 concerned the newer E3 model of controller. Many consisted of password and login protocols that exposed the devices to unauthorized parties. Garbuz says the equipment contained some highly predictable administrative passwords that made the system easy to access — “mechanisms that Copeland put in place on purpose, but did not secure properly.”

The potential damage that hackers with access to underlying systems could do to a cold chain is extensive, Garbuz says. They could spoil product by adjusting heating and air conditioning, and even alter lighting systems, so that they fail to activate in an emergency. What’s more, tinkering with one device could have a knock-on effect on other equipment within a warehouse or store, as well as far beyond the walls of a standalone facility.

The danger to entire networks is an unwelcome side effect of the internet of things, which has made countless devices both connected and “smart.”

“As in any cyberattack, people forget that anything is a computer,” Garbuz says. And that reality opens doors to any equipment with access to the internet, ramping up the threat of third-party incursions into critical systems.

Armis recommends a number of best practices to protect key control systems from cyber thieves, including the segregation of OT systems from traditional IT networks “to limit the exposure of critical infrastructure.” It also urges companies to conduct comprehensive risk assessments and regular vulnerability scans on connected devices.

Garbuz acknowledges that the vulnerabilities uncovered in the Copeland controllers were highly specific to those devices. But there are larger implications, he says, especially where connected networks are involved.

“Given the severity of the vulnerabilities, Armis is urging organizations using these controllers to assess their current exposure and to deploy mitigation actions immediately,” the company said.