A list of default passwords used in over 100 industrial control systems has been published online. The list has been created by the SCADA StrangeLove group of security researchers who are focused on Industrial Control Systems (ICS) and SCADA. With ICS the most commonly talked about first wave of the Internet of Things (IoT) there has been a lot of attention on the security of ICS over the last year.
While some will berate the group for publishing this list of default passwords, which could then be used to attack systems, others will welcome the raising of the awareness of the problem. It is also important to realise that the list contains just information on DEFAULT passwords which can be easily changed by the user. That means that they should have been changed when the devices were deployed and updated regularly.
Unfortunately, as has been shown many times in the last two years, test after test on ICS shows that many organisations have poor password security. One of the reasons for this is that they are often using systems that have been in place for a number of years and there are few people left who know what the passwords are or how to change them. At the very least, this list should help those administrators solve that problem. For those unhappy about the release of the list, they will be looking to see if any attacks can be laid at the door of the lists curators.
The breadth of devices is also interesting. It ranges from industrial routers through to switches, gateways, terminal services, web servers. PLC and energy and power meters. All in all, over 37 vendors are named in the list showing that this is not a new problem but one that affects a large part of the ICS/SCADA market.
What will concern a lot of security professionals is the number of devices that can potentially be connected to from other systems including the Internet. It will be interesting to see how quickly the manufacturers of the named systems respond and issue software updates to force password changes on the devices.
One of the most common IoT models shows previously hidden ICS systems being exposed by being connected to new generations of Internet connected systems. SCADA StrangeLove are trying to make companies clean up their act before this happens. However, there is a real risk here. By publishing the list without being in a position to guarantee that everyone affected will respond and change passwords, they could just be handing information to hackers and cyberterrorists.