On Friday afternoon the DHS ICS-CERT updated their alert on internet accessibility of ICS systems that was originally issued in January. The original report outlined a large number of reports of ICS systems being found on the Internet through the use of SHODAN, Googel, ERIPP and other search engines. This update provides information about Internet facing ICS systems with default passwords or weak authentication.
The update starts off (pg 2) by explaining that: “ICS-CERT has recently become aware of multiple systems with default usernames and passwords that are accessible via the Internet.”
This generic claim is not much help to the general ICS community, but the Alert does note that ICS-CERT has directly contacted the owner/operators of the affected systems to let them know of their vulnerability.
There is a new vendor name included in this initial paragraph, Echelon and their i.LON series of communications devices. ICS-CERT notes that the new reports that they have received include information on “the Echelon i.LON product that is commonly deployed within ICS devices such as motors, pumps, valves, sensors, etc., which contain a default username and password”. They do note that this is not an ‘inherent vulnerability’ (read; the user should have corrected the situation during the installation process).
The alert revision goes on to remind their audience that there have been a number of ICS-CERT advisories (including: ClearSCADA, Siemens Simatic, and RuggedCom) about systems with weak authentication mechanisms. They do not specifically mention that any of these systems that have been reported to be Internet facing, but given the current state of ICS security it would seem inevitable that there would be a number of these systems that are relying solely on their weak authentication systems for Internet protection.
Nothing has changed in the sections of this Alert that deal with mitigation efforts. Neither ICS-CERT nor any other ICS security player has come up with a magic bullet to protect Internet facing ICS equipment. The revised alert simply serves as an updated reminder that every ICS owner/operator needs to take a hard look at their control systems to ensure that they are appropriately protected. As such this updated alert deserves the widest possible dissemination.
NOTE: There is an interesting follow-up to this post written by Reid Wightman over on DigitalBond. Well worth reading and makes some additional points that bear attention. Plus he was nice enough to mention this post. [6-25-12 20:20 EDST]