Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:00 PM
Connect Directly

Researchers Out Default Passwords Packaged With ICS/SCADA Wares

'SCADAPass' tool debuts; meanwhile, some PLCs found hackable via long, random passwords.

ICS/SCADA researchers from Russia have published online a list of popular industrial systems that come packaged with default passwords in hopes that the vendors--which include a who's who in ICS/SCADA--will change their ways in that practice.

The so-called SCADAPass list includes more than 100 products, ranging from controllers to Web servers and from big-name vendors such as Allen-Bradley, Schneider Electric, and Siemens. The researchers gathered information on the products with default passwords such as "admin.admin," "password," "root," and "administrator," from various sources, including the open passwords lists and vendor documentation. They say it's only the "tip of the iceberg" of ICS/SCADA products that come packaged with default authentication.

Default passwords are those that come factory-shipped with the product. A customer (a utility, for example) or its installer would be responsible for setting a new and strong password much like IT administrators are expected to do with their network equipment or other devices. But the researchers say that mentality isn't always a given in the ICS/SCADA world.

"The goal is to change mindset of vendors, who use simple/default passwords in industrial systems without proper security controls -- change on first logon, password complexity, etc. The approach of vendors from IT world," where users are expected to change the default password upon installation in most cases, doesn't work in the ICS world, says Sergey Gordeychik, a member of the SCADA StrangeLove Team of white hat hackers who compiled and posted the SCADAPass list.

"Operators prefer to use 'If it works, don't touch it' principle. Sometimes they even do not have information about different features of control devices," he says. Simple passwords--or none at all--are acceptable for locally accessed and physically protected systems such as HMI or MES panels, he says. However, if they use same authentication for network or radio access, this is a problem. Big problem," Gordeychik says.

He says he and the team stopped short of including "a long list" of hardcoded passwords they have found in their research. Hardcoded passwords can't be changed by the user.

The danger, of course, is getting remote root access to an industrial router, a PLC, or other ICS/SCADA device, basically makes access game over. Exploitation would require an attacker to know the industrial process -- say, water treatment -- to wage a damaging attack, he says.

Finding ICS/SCADA systems with default credentials isn't difficult, however, notes Dale Peterson CEO at ICS/SCADA consulting firm Digital Bond. "We've had our own internal lists like that for years, and we keep adding to them when we come across" more, he says.

The upside to publishing SCADAPass, he says, is that it could help flag these passwords for ICS/SCADA operators. But the tradeoff is these have been flagged to be added to password lookup tools, he says.

Peterson says his firm sometimes finds default credentials in their clients' networks. "The IT security guys have no idea what credentials they should be testing," so SCADAPass could be a useful tool for them, he says.

Hacking Via Big Fat Passwords

Meanwhile, specially crafted passwords also can be used to hack some ICS/SCADA equipment: researchers at CyberX discovered a zero-day flaw in several models of Schneider Electric Modicon M340 PLC products found in some nuclear reactors, water and wastewater sites, and transportation systems.

CyberX found a buffer overflow flaw in the products that can be exploited when a random password of between 90 and 100 characters is typed into the PLC's web interface. It basically crashes the device, and allows an attacker to execute code remotely. Schneider has patched some of the affected models, but several more will be patched on Jan. 16.

Nir Giller, CTO of CyberX, says the hack is a bit ironic given that it exploits the authentication mechanism in the products. "This is the first time we've seen you being able to do a buffer overflow using a password field," he says.

An attacker performing this attack on a master industrial controller could shut down a master PLC, for example, and disable the operations network, Giller notes. The attack could escalate from there, says Giller, who will demonstrate the attack next week at the S4 ICS/SCADA conference in Miami.

Schneider had not responded to press inquiries as of this posting.

Digital Bond's Peterson says ICS/SCADA plant operators should pay more attention to remote access to their control systems. "The biggest risk is allowing a lot of people remote access into your control systems -- employees, vendors, and consultants," Peterson says. That leaves the door open for breaches, especially via a clever spear phishing attack that steals one of those users' credentials, he notes.

And since most ICS/SCADA sites still only sparingly patch their systems if at all due to their emphasis on uptime and operations, risk management and reduction are crucial to keeping plants secure from hackers, experts say.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/14/2016 | 10:07:26 AM
Building Control System Integrator Perspective
I come from the BMS (building management systems)/FMS (facility management systems) space and tyically we are rolled into ICS/SCADA.  While a close fit, it is not an exact fit.  Our communtiy is trying to design and implement control systems securely.  However, older systems, for the most part, are forgotten.  It is these systems that this list impacts greatly.  Too many of us left behind default username and passwords as well leaving ports set to the default port.  This article emphasizes the need for us, the BMS/FMS integrators, to reach out to our installed customer base and at lease let them know that these systems need have the default settings changed.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
1/6/2016 | 4:37:11 PM
Re: Acronyms
Thank you for sharing this, @Dave. I will definitely keep that in mind for future stories.
User Rank: Apprentice
1/6/2016 | 3:53:37 PM
This was a very interesting article but I have one peeve, usage of acronyms w/o spelling out their full name at the first use. Given how technical the article is I believe it's necessary (and proper manual of style). Given my casual interest I had to look up quite a few. Otherwise, nice article.
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...