14 DAY TRIAL // Russian security researchers have published a list of ICS/SCADA manufacturers that put their clients at risk by providing equipment with weak default access credentials.
ICS/SCADA (or Industrial Control Systems/Supervisory Control And Data Acquisition) equipment are devices deployed in factories and other critical infrastructural points, across large enterprises and national agencies. They are literally the backbone of every industry, and their security is crucial but often ignored.
SCADA Strange Love is a team of white hat security experts specialized in taking ICS/SCADA equipment apart, highlighting their flaws, and helping manufacturers patch these issues.
Their most recent work included hacking various ICS/SCADA equipment used in various railway systems across Europe. This presentation was given at the 32nd Chaos Communication Congress (32C3) in Hamburg, Germany.
Soon after that presentation took place, the SCADA Strange Love team also published an intriguing project on GitHub, called SCADAPASS.
SCADAPASS, the ICS/SCADA shame list
This is a list of SCADA equipment, used in various industry fields, which comes with simplistic default administration credentials. These admin logins are shipped with every product, and they are detailed in each product's manual. Usually, the equipment's new owners change these credentials as soon as the equipment is installed. Or at least in theory.
SCADA Strange Love's Sergey Gordeychik says that this list was put together to raise awareness of the fact that there are is a lot of ICS/SCADA equipment that, if left unconfigured, could put enterprises and national infrastructure at risk of hacking.
Just this Christmas, Ukraine experienced a series of power outages, which were linked to malware on its electrical power grid's computers. Attackers used the infected computers to interact with ICS/SCADA devices, shutting down power or sabotaging equipment. So there's an actual interest from state-sponsored groups to go after SCADA devices.
SCADAPASS was created to raise awareness of insecure ICS equipment
"Most of vendors don't consider default passwords as vulnerability," Mr. Gordeychik told Softpedia. "And if it's ok for IT, it's a big issue for ICS."
"There are no hardcodes in this list," he also told us, referring to the fact that only equipment with default (changeable) passwords is on the SCADAPASS list. Since hardcoded login credentials are embedded in the device's firmware, they cannot be changed or removed except via a firmware update.
By exposing these devices, the SCADA Strange Love team would put companies at unnecessary risk of cyber-attacks. Additionally, this also contradicts the team's internal guidelines. "We follow responsible disclosure practices and don't publish details about vulnerabilities," said Mr. Gordeychik, referring to the fact that hardcoded credentials (semi-legal backdoors) are considered a vulnerability.
The SCADAPASS list published on GitHub includes manufacturers like B&B Electronics, BinTec Elmeg, Digi, Echelon, Emerson, Hirschmann, IBM, Moxa, Rockwell, Samsung, Schneider Electric, Siemens, Wago, Westermo, and Yokogawa.
Most of the listed 110+ products are programmable logic controllers (PLC), but servers, wireless gateways, and industrial-grade routers are also on the list.