Hacked Systems and Poor Passwords

Monday, November 28, 2011 @ 05:11 PM gHale

Editor’s Note: This is an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.

By Eric Byres
A hacker calling himself Pr0f demonstrated how he could easily hack into a SCADA system controlling the water utility at the City of South Houston.

Later, he explained how South Houston had an instance of the Siemens Simatic Human Machine Interface (HMI) software accessible from the Internet. What was particularly problematic was this connection was protected with an easy-to-hack, three-character password.

Feds: No Cyber Intrusion at IL Water Plant
Water Utilities Breached
NJ Water Plant Victim of ‘Terrorism’
Water Utilities Breached
Three Legs to SCADA Security

Now while Pr0f has been obviously following the latest in hacking techniques, it is clear the team at the South Houston Water Utility is not staying current with even the most basic guidelines on good security passwords. Here are my thoughts on passwords, and some suggestions on dealing with a very imperfect security mechanism.

Passwords are a bad idea on many levels, starting with expecting people to remember strong passwords simply defies all understanding of human behavior.

As Michael Schrage outlined in his MIT Technology Review article, “The Password Is Fayleyure,” passwords “perversely inspire abuse, misuse, and criminal mischief by deliberately making users the weakest link in the security chain.” Basically, we have chosen a technology that is almost impossible for humans to manage or remember, but trivial for computers to crack, and then called it security.

Numerous studies show when faced with the difficulty of remembering “strong” passwords, people routinely pick simple passwords found in dictionaries and susceptible to brute force attacks. Furthermore, they use the same passwords over and over again, so the successful guess of a single password means numerous devices can suffer from an attack.

The situation in process control environments is even worse.

Instead of one person having to remember a password to access a personal workstation, SCADA equipment access is often shared with an entire group, resulting in even simpler passwords common to multiple devices.

This reuse of passwords has nasty consequences when combined with the many SCADA products that have broken password systems – check many PLC or RTU systems and you will find the passwords being sent in plain text over the network.

During an analysis of an oil refinery, I discovered the PLC password that was trivial to capture off the network was the same one that the controls group used for accessing more robust systems like Windows servers. Once I had the PLC password, I could happily log into the servers as an administrator. At least if they had stuck with the PLC manufacturer’s default passwords, I would have had to work harder to crack the server’s passwords.

Since we are stuck using passwords, I do have a few thoughts on how to make the best out of a bad situation. First, there is good guidance on how to pick memorable, yet more difficult to crack passwords. One of my favorites is from the paper “Password Memorability and Security: Empirical Results.” The authors showed security can be significantly improved if administrators provide explicit guidance on how a password should be chosen. They also provide examples on developing that guidance and my favorite is the following (paraphrased from the paper):

“Choosing a good password is critical to maintaining the security of this system. To construct a good password, create a simple sentence of 8 or more words and choose letters from the words to make up a password. You might take the initial or final letters; you should put some letters in upper case to make the password harder to guess; and at least one number and special character should be inserted as well.

“An example is the phrase “It’s 12 noon and I am hungry” which can be used to create the password “I’s12n&Iah”. Under no circumstances should the password contain a word that could be found in a dictionary, is a product or area name or be made up of only letters or numbers.”

It is also critical to make sure passwords used for weak systems (like PLCs) or weak protocols (like FTP or HTTP) are not the same as the passwords used for stronger systems. One client rated their control systems in terms of password robustness and then had “throw-away” passwords for systems that sent passwords over the network in plain text.

Frankly, I think passwords as a whole are a complete security disaster – unfortunately one that we are going to have to live with for a few years to come. Since we are stuck with them, I would like to hear what real SCADA and process control engineers are doing about their passwords on the plant floor. Send your ideas and questions and together we will make our systems more secure.
Eric Byres is chief technology officer at Byres Security. Click here to read the full version of the Practical SCADA Security blog.

Leave a Reply

You must be logged in to post a comment.