Predict your next investment

ENERGY & UTILITIES | Natural Gas Utilities
deltaenergyllc.com

See what CB Insights has to offer

Founded Year

2003

Stage

Acquired | Acquired

About Delta Energy

Delta Energy buys and sells natural gas to industrial consumers in 9 states, and provides energy consulting services for companies that don't want to hire own energy staff. Delta manages energy services for major energy users and is an old-timer in the growing world of energy management, having started nearly 20 years ago.

Delta Energy Headquarter Location

5555 Perimeter Drive

Dublin, Ohio, 43017,

United States

614-339-2600

Latest Delta Energy News

Exploitation of Flaws in Delta Energy Management System Could Have 'Dire Consequences'

Aug 30, 2021

By Eduard Kovacs on August 30, 2021 An industrial energy management system made by Delta Electronics is affected by several vulnerabilities whose exploitation could have serious consequences in a real world environment, according to the researcher who discovered the flaws. The existence of the vulnerabilities affecting Delta’s DIAEnergie product was disclosed last week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the researcher who identified them, Michael Heinzl. The security holes were reported to the vendor, through CISA, in April, but they have yet to be patched. CISA says patches are expected to become available on September 15. In the meantime, organizations using the affected product have been advised to implement mitigations to reduce the risk of exploitation. Heinzl told SecurityWeek that the eight DIAEnergie vulnerabilities disclosed last week are just some of the issues he reported to the vendor. The remaining flaws will be disclosed at a later date. Four of the eight vulnerabilities have been rated “critical” and described as blind SQL injection bugs that can be exploited by remote, unauthenticated attackers to execute arbitrary code. “Critical” severity ratings have also been assigned to a vulnerability that can be exploited to add new admin users and gain access to the device, and a flaw that can be leveraged for unrestricted file uploads and possibly remote code execution. The remaining two issues have been described as medium-severity flaws that can be exploited to obtain a password in clear text and to launch cross-site request forgery (CSRF) attacks. The affected services are exposed to the network, which means the vulnerabilities can be exploited remotely, the researcher said. In some cases, exploitation from the internet might also be possible, depending on how the user’s network and infrastructure are configured. “There are multiple ways how the vulnerabilities could be chained together,” Heinzl told SecurityWeek. “A malicious actor has multiple venues to achieve a complete compromise of both the DIAEnergie application itself, as well as the underlying system on which the application is deployed on.” He added, “Examples include multiple SQL injections, which would allow an attacker to execute system commands or to retrieve credentials (stored as MD5 hashes, therefore trivial to crack) from the database, an arbitrary file upload vulnerability which also allows the execution of system commands, and others. Due to another issue related to authentication and authorization, it's possible to exploit all of these and similar privileged actions without any prior authentication.” DIAEnergie is an industrial energy management system (IEMS) designed to help companies visualize and improve electric and power systems, particularly high-consumption equipment. The product can be used for remote maintenance and it can be integrated with various industrial control systems (ICS) and data sinks, including power meters, programmable logic controllers (PLCs) and other Modbus devices. In its advisory, CISA says the product is used worldwide. Marketing materials provided by the vendor show that the product is used by various types of organizations, including a semiconductor factory, a bearing manufacturer, and a footwear company. “The consequences of a malicious actor’s actions could be dire for affected customers — falsifying monitoring data, suppressing alarms, using the system as the initial foothold in the network infrastructure for further pivoting, or simply 'ransomwaring' the deployment as has become so prevalent over the last five years or so,” Heinzl explained. SecurityWeek has reached out to the vendor for comment, but the company has yet to respond. CISA last week also published a separate advisory describing a high-severity remote code execution vulnerability affecting Delta’s DOPSoft HMI design software. Exploitation of this flaw involves getting the targeted user to open a specially crafted file. The vulnerability was reported to the vendor through Trend Micro’s Zero Day Initiative (ZDI) by an anonymous researcher. ZDI over the past few months has published several advisories with a “0Day” status for Delta vulnerabilities — a “0Day” status indicates that the bugs have not been patched.

Feb 17, 2021
Emergency exit

Predict your next investment

The CB Insights tech market intelligence platform analyzes millions of data points on venture capital, startups, patents , partnerships and news mentions to help you see tomorrow's opportunities, today.

Delta Energy Patents

Delta Energy has filed 2 patents.

patents chart

Application Date

Grant Date

Title

Related Topics

Status

8/11/2009

8/20/2013

Carbon forms, Tires, Pigments, Rubber properties, Polymer scientists and engineers

Grant

00/00/0000

00/00/0000

Subscribe to see more

Subscribe to see more

Subscribe to see more

Application Date

8/11/2009

00/00/0000

Grant Date

8/20/2013

00/00/0000

Title

Subscribe to see more

Related Topics

Carbon forms, Tires, Pigments, Rubber properties, Polymer scientists and engineers

Subscribe to see more

Status

Grant

Subscribe to see more

CB Insights uses Cookies

CBI websites generally use certain cookies to enable better interactions with our sites and services. Use of these cookies, which may be stored on your device, permits us to improve and customize your experience. You can read more about your cookie choices at our privacy policy here. By continuing to use this site you are consenting to these choices.