Internet Facing Control System Alert

Monday, June 25, 2012 @ 06:06 PM gHale

There are additional systems running with default usernames and passwords that are accessible via the Internet and end users need to be aware of the dangers involved, according to a report issued from ICS-CERT.

In fact, configuration of these systems is not in sync with common best practices such as being behind a firewall or changing documented default credentials.

Utilities Under Daily Attack
Security Firm Finds Attack Signs
Tool Automates an Attack
Malware’s Next Move: DNS

The report comes as a follow up to a December ICS-CERT alert about tracking and multiple reports of researchers using SHODAN, Every Routable IP Project (ERIPP), Google, and other search engines to discover Internet facing control systems.

ICS-CERT coordinated the information with the control system owners and operators to notify them of their potential vulnerability to cyber intrusion and attack. In most cases, exposed systems were put together not knowing the potentially unsecure access authentication and authorization mechanisms.

ICS-CERT will work with the asset owner/operators and vendor or systems integrators whenever possible to remove any default credentials and secure these systems from attack.

When they do identify unauthorized access, ICS-CERT helped control system owners and operators with system and firewall data analysis to determine the extent of the intrusion and whether they should make any configuration changes to the system.

The use of readily available and generally free search tools significantly reduces time and resources required to identify Internet facing control systems. In turn, hackers can use these tools to easily identify exposed control systems, posing an increased risk of attack. Conversely, owners and operators can also use these same tools to audit their assets for unsecured Internet facing devices.

Internet facing control systems have been identified in several critical infrastructure sectors. The systems vary in their deployment footprints, ranging from stand-alone workstation applications to larger distributed control systems (DCS) configurations. The design of these control systems were to allow remote access for system monitoring and management. All too often, remote access configuration allows for direct Internet access (no firewall) and/or default or weak user names and passwords. In addition, those default/common account credentials are often available in public space documentation.

In all cases, ICS-CERT has worked with these organizations to remove default credentials and strengthen their overall security.

The most recent scenarios include:

• ICS-CERT becoming aware of multiple systems with default usernames and passwords that are accessible via the Internet. These systems do not have configurations that work securely with common best practices such as being behind a firewall or changing documented default credentials. These reports include the Echelon i.LON product commonly deployed within ICS devices such as motors, pumps, valves, and sensors, which contain a default username and password. This is not an inherent vulnerability, but left unchanged, it does pose as a security risk, especially when configured as Internet accessible. Users should replace the default username and password with a strong username and password configuration, especially when the device is Internet accessible.
• ICS-CERT released several products concerning weak authentication mechanisms. Weak authentication mechanisms are often difficult to remedy because users cannot typically change passwords. The products below highlight weak authentication vulnerabilities reported to ICS-CERT and patched by the vendor:
ICSA-11-173-01- ClearSCADA Remote Authentication Bypass
ICSA-11-356-01- Siemens Simatic HMI Authentication Vulnerability
ICSA-12-146-01A – RuggedCom Weak Cryptography for Password Vulnerability.

• In February 2011, independent security researcher Rubėn Santamarta used SHODAN to identify online remote access links to multiple utility companies’ supervisory control and data acquisition (SCADA) systems. Santamarta notified ICS-CERT for coordination with the vendor and the affected control system owners and operators. Further research indicated that other systems were using default user names and passwords.

• In April 2011, ICS-CERT received reports of 75 Internet facing control system devices, mostly in the water sector. ICS-CERT worked with the Water Sector ISAC and the vendor to notify affected control system owners and operators. Many of those control systems had their remote access configured with default logon credentials.
• • In September 2011, independent researcher Eireann Leverett contacted ICS-CERT to report several thousand Internet facing devices that he discovered using SHODAN. To date, this response included international partners and 63 other CERTs in the effort to notify the identified control system owners and operators their control systems/devices suffered exposure on the Internet.

• Currently, ICS-CERT is coordinating the response to several new reports of Internet facing control systems from independent researchers Billy Rios, Terry McCorkle, Joel Langill, and other trusted sources.

It goes without saying, but control system owners and operators should audit their control systems — whether or not they think their control systems are connected to the Internet — to discover and verify removal of any default administrator level user names and passwords. Because each control system installation is unique, owners and operators may need to contact their system vendor or integrator for assistance with locating and eliminating default accounts.

Leave a Reply

You must be logged in to post a comment.