In my last two ICS-CERT related blogs I noted that the Digital Security Research Group (DSecRG) web site had two additional ICS vulnerabilities reported that had not yet shown up as ICS-CERT alerts. I heard from two different sources today the reason that those alerts are probably not forthcoming. The first came from a semi-anonymous email (it came from a gaming site, but it was signed with a PGP signature) and the second was from a caller claiming to be from ICS-CERT but I didn’t catch the name as I was running between three meetings at the time.
The DSecRG web site describes vulnerabilities in Tecomat PLCs and the Open Automation Software (OAS) OPC system. According to both sources (in almost identical wording, same person perhaps?) the Tecomat PLC vulnerability is really nothing more than a list of default passwords that should be changed upon system installation; anyone want to venture a semi-educated guess as to how often they are actually changed on PLC’s? I don’t know but I would suspect much less often than security folks would like to see. After all PLC’s are not connected to the internet, so why bother?
Both sources said:
“That is not a vulnerability. If they are not changed than that is a configuration issue. (We can not prevent integrators from being stupid).”
The pejorative aside, I can certainly understand why ICS-CERT and many security professionals would take that attitude. They have enough serious ICS security issues without having to worry about people not changing default passwords.
Having said that, many of these systems were installed before most organizations had even heard the term ‘cybersecurity manager’. Now most critical infrastructure facilities (at least) have a person wearing that hat (okay and maybe a couple others as well) who needs to determine if there are any unresolved vulnerabilities in their legacy systems (all new systems, as we all know, come with sophisticated cybersecurity suites; SARCASM Warning). I would expect that a real common problem in many (if not most) of those older systems is that they were installed without changing any of the default passwords.
If an energetic cybersecurity manager knew which systems came with default passwords and knew what they were, it would be a relatively easy (okay so that is a slight exaggeration, and our receptionist is just slightly pregnant) to go back and check all of those devices to ensure that the default password is not still active. Without lists like this from people like DSecRG or ICS-CERT, it would be nearly impossible to determine what the default password on legacy systems might be to verify that they had, in fact, been changed.
Well, if ICS-CERT isn’t going to worry about the problem, maybe SCADAHacker can just add that to the lists he is maintaining on various ICS security issues.
OAS OPC Advisory
Both sources told me today that ICS-CERT was going to be issuing an update on the recent OAS OPC advisory. That update (already planned apparently) will also address the vulnerabilities identified on the DSecRG web site as they are already being dealt with by OAS. If that update provides appropriate mitigation measures for the DSecRG identified vulnerabilities, that certainly sounds like an efficient way of dealing with the problem. No word on when that will be published; hopefully in the next day or two.