Researchers Out Default Passwords Packaged With ICS/SCADA Wares

'SCADAPass' tool debuts; meanwhile, some PLCs found hackable via long, random passwords.

ICS/SCADA researchers from Russia have published online a list of popular industrial systems that come packaged with default passwords in hopes that the vendors--which include a who's who in ICS/SCADA--will change their ways in that practice.

The so-called SCADAPass list includes more than 100 products, ranging from controllers to Web servers and from big-name vendors such as Allen-Bradley, Schneider Electric, and Siemens. The researchers gathered information on the products with default passwords such as "admin.admin," "password," "root," and "administrator," from various sources, including the open passwords lists and vendor documentation. They say it's only the "tip of the iceberg" of ICS/SCADA products that come packaged with default authentication.

Default passwords are those that come factory-shipped with the product. A customer (a utility, for example) or its installer would be responsible for setting a new and strong password much like IT administrators are expected to do with their network equipment or other devices. But the researchers say that mentality isn't always a given in the ICS/SCADA world.

"The goal is to change mindset of vendors, who use simple/default passwords in industrial systems without proper security controls -- change on first logon, password complexity, etc. The approach of vendors from IT world," where users are expected to change the default password upon installation in most cases, doesn't work in the ICS world, says Sergey Gordeychik, a member of the SCADA StrangeLove Team of white hat hackers who compiled and posted the SCADAPass list.

"Operators prefer to use 'If it works, don't touch it' principle. Sometimes they even do not have information about different features of control devices," he says. Simple passwords--or none at all--are acceptable for locally accessed and physically protected systems such as HMI or MES panels, he says. However, if they use same authentication for network or radio access, this is a problem. Big problem," Gordeychik says.

He says he and the team stopped short of including "a long list" of hardcoded passwords they have found in their research. Hardcoded passwords can't be changed by the user.

The danger, of course, is getting remote root access to an industrial router, a PLC, or other ICS/SCADA device, basically makes access game over. Exploitation would require an attacker to know the industrial process -- say, water treatment -- to wage a damaging attack, he says.

Finding ICS/SCADA systems with default credentials isn't difficult, however, notes Dale Peterson CEO at ICS/SCADA consulting firm Digital Bond. "We've had our own internal lists like that for years, and we keep adding to them when we come across" more, he says.

The upside to publishing SCADAPass, he says, is that it could help flag these passwords for ICS/SCADA operators. But the tradeoff is these have been flagged to be added to password lookup tools, he says.

Peterson says his firm sometimes finds default credentials in their clients' networks. "The IT security guys have no idea what credentials they should be testing," so SCADAPass could be a useful tool for them, he says.

Hacking Via Big Fat Passwords

Meanwhile, specially crafted passwords also can be used to hack some ICS/SCADA equipment: researchers at CyberX discovered a zero-day flaw in several models of Schneider Electric Modicon M340 PLC products found in some nuclear reactors, water and wastewater sites, and transportation systems.

CyberX found a buffer overflow flaw in the products that can be exploited when a random password of between 90 and 100 characters is typed into the PLC's web interface. It basically crashes the device, and allows an attacker to execute code remotely. Schneider has patched some of the affected models, but several more will be patched on Jan. 16.

Nir Giller, CTO of CyberX, says the hack is a bit ironic given that it exploits the authentication mechanism in the products. "This is the first time we've seen you being able to do a buffer overflow using a password field," he says.

An attacker performing this attack on a master industrial controller could shut down a master PLC, for example, and disable the operations network, Giller notes. The attack could escalate from there, says Giller, who will demonstrate the attack next week at the S4 ICS/SCADA conference in Miami.

Schneider had not responded to press inquiries as of this posting.

Digital Bond's Peterson says ICS/SCADA plant operators should pay more attention to remote access to their control systems. "The biggest risk is allowing a lot of people remote access into your control systems -- employees, vendors, and consultants," Peterson says. That leaves the door open for breaches, especially via a clever spear phishing attack that steals one of those users' credentials, he notes.

And since most ICS/SCADA sites still only sparingly patch their systems if at all due to their emphasis on uptime and operations, risk management and reduction are crucial to keeping plants secure from hackers, experts say.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5