Password Shaming: SCADA Password Dump Intended to Improve Security

Password

In-brief: Call it “password shaming”: a group of security researchers has published a list of default administrator credentials for the software that runs many of the world’s industrial facilities and manufacturing lines. 

Call it “password shaming:” a group of security researchers has published a list of default administrator credentials for the software that runs many of the world’s industrial facilities and manufacturing lines.

SCADA Strangelove, a group of researchers who study SCADA (supervisory control and data acquisition) systems released on Github a spreadsheet containing default administrative passwords to software published by Schneider Electric, Emerson, Siemens and other vendors. Those vendors, the researchers warned, don’t consider default passwords as a vulnerability and need to do more to encourage customers to change the passwords after the software is activated.

The group published a spreadsheet containing passwords for 106 different SCADA products on the web site Github and invited the public to download, edit and add to it. The goal is to make the passwords available to information security professionals, auditors and others who need to assess the security of SCADA deployments.

“We believe that operators and security auditors can use this list for security scanning tools like Nessus or Hydra to check ICS installations for weak passwords and change it,” wrote Sergey Gordeychik, a member of the SCADA StrangeLove Team in an e-mail.

The goal is to change the mindset of vendors in the SCADA industry that still rely on simple username and password combinations to secure industrial control systems. Such systems power much of the critical infrastructure that runs modern economies, but often don’t enforce proper security controls, he said.

Proper security controls could include requirements that users change the default password after first use and to use a password that is complex: combining letters, numbers and special symbols.

Instead, however, most firms that make SCADA software operate from a “if it works, don’t touch it” principle, Gordeychik said. “Sometimes they even do not have information about different features of control devices, such as ‘SMS management,’ he said.

The researchers gathered information on the passwords from open sources such as the vendor’s documentation or known password lists. While most of the products include features for changing default administrative passwords, the practical reality is that many of the passwords are not updated, for fear of disruptions.

The passwords released are not written into the software – or “hardcoded,” though Gordeychik said there are plenty of hard coded passwords that have been uncovered by SCADA Strangelove researchers (and others) as well.

Gordeychik said that the list of default credentials shouldn’t be considered a list of “vulnerabilities” in SCADA. However, retiring default credentials and requiring strong passwords is the first and easiest step to securing deployments of SCADA systems. More sophisticated attacks that leverage software vulnerabilities are unnecessary when attackers can simply log into a device using administrator credentials and make changes to its configuration.

“This is just an entry point. To mount an actual attack you need to understand (industrial) process etc.,” he noted, adding that “this is a good entry point for any attacker.”

Default passwords are a major security issues both within and outside the industrial control space. In October, for example, the firm Applied Risk found that security holes, including weak authentication, plagued widely used industrial equipment known as “power quality analyzers” and could enable remote attackers to disrupt or corrupt operations at firms across industries.

In August, Carnegie Mellon’s CERT reported that a hard coded firmware password could provide remote hackers with access to a wide range of home broadband routers.

The Department of Homeland Security has published a guide on configuring and managing remote access to industrial control systems that calls for “strong authentication” to secure such systems including the use of so-called “multi factor” authentication requiring a username, password and another piece of information.

2 Comments

  1. He’s wrong in his statement: “To mount an actual attack you need to understand (industrial) process etc.,”

    While that may be true if you are attacking with a purpose, it’s not going to keep the unsophisticated from still being able to create havoc. It’s a control system controller and very easy for the uninitiated to cause damage, even unintentionally.

    • Yeah – I see your point. I think his point is “just compromising a device isn’t necessarily enough to make bad things happen.” So, you can hack into the PLC, but you have to know about ladder logic, etc. to actually reprogram it (maliciously). But – yeah – just getting access may be enough for denial of service attacks or misappropriation of the infrastructure for nefarious purposes (watering hole attacks, spam runs, data theft, etc.)