Default ICS Passwords Published

Thursday, January 7, 2016 @ 04:01 PM gHale

Default passwords associated with industrial control system (ICS) products released.

The database made public by researchers at SCADA StrangeLove includes default credentials for more than 100 products for now.

Malware Targeting Ukraine Power Grids
Cloud Provider Under Attack
Virtualization: Benefits, Challenges
Bridging IT and OT

The database includes the name of the affected ICS/SCADA product, the type of device, the name of the vendor, default usernames and passwords, the port and protocol over which you can get access to the device, and the source of the information.

The “SCADAPASS” list contains default credentials for industrial routers, programmable logic controllers (PLC), wireless gateways, servers and network modules from vendors such as ABB, B&B Electronics, Digi, Emerson, eWON, Hirschmann, Moxa, Netcomm Wireless, Rockwell Automation, Samsung, Schneider Electric, Siemens and Yokogawa.

Researchers obtained the default passwords from open password lists and documentation from the vendor. Unlike hardcoded passwords, which can only end up eliminated or changed with a patch from the vendor, users can change default passwords.

The goal of this project, according to SCADA StrangeLove researchers, is to change the mindset of ICS vendors and get them to realize they can’t leave security in the hands of control system operators, who usually aren’t aware of all the features on their devices.

The researchers said vendors should implement proper security controls, such as establishing password strength policies and forcing users to change passwords on the first login.