On Friday afternoon the DHS ICS-CERT updated
their alert on internet accessibility of ICS systems that was originally
issued in January. The original report outlined a large number of reports of
ICS systems being found on the Internet through the use of SHODAN, Googel,
ERIPP and other search engines. This update provides information about Internet
facing ICS systems with default passwords or weak authentication.
The update starts off (pg 2) by explaining that: “ICS-CERT
has recently become aware of multiple systems with default usernames and
passwords that are accessible via the Internet.”
This generic claim is not much help to the general ICS
community, but the Alert does note that ICS-CERT has directly contacted the
owner/operators of the affected systems to let them know of their
vulnerability.
There is a new vendor name included in this initial
paragraph, Echelon
and their i.LON series of communications devices. ICS-CERT notes that the new
reports that they have received include information on “the Echelon i.LON
product that is commonly deployed within ICS devices such as motors, pumps,
valves, sensors, etc., which contain a default username and password”. They do
note that this is not an ‘inherent vulnerability’ (read; the user should have
corrected the situation during the installation process).
The alert revision goes on to remind their audience that
there have been a number of ICS-CERT advisories (including: ClearSCADA,
Siemens
Simatic, and RuggedCom)
about systems with weak authentication mechanisms. They do not specifically
mention that any of these systems that have been reported to be Internet
facing, but given the current state of ICS security it would seem inevitable that
there would be a number of these systems that are relying solely on their weak
authentication systems for Internet protection.
Nothing has changed in the sections of this Alert that deal with mitigation efforts. Neither ICS-CERT nor any other ICS security player has come up with a magic bullet to protect Internet facing ICS equipment. The revised alert simply serves as an updated reminder that every ICS owner/operator needs to take a hard look at their control systems to ensure that they are appropriately protected. As such this updated alert deserves the widest possible dissemination.
NOTE: There is an interesting follow-up to this post written by Reid Wightman over on DigitalBond. Well worth reading and makes some additional points that bear attention. Plus he was nice enough to mention this post. [6-25-12 20:20 EDST]
Posts
No comments:
Post a Comment