Doomed by default passwords

Recent hacks reveal that admins and vendors have fallen behind on protecting legacy systems

1 2 Page 2
Page 2 of 2

What is a device or appliance other than software on a chip or proprietary hardware? There is absolutely nothing inherently more secure about a device or appliance as compared to a regular software system. Software systems are easier to patch and can be made more secure because the software components are simpler to inspect and upgrade.

Perform a password check
Many SCADA environments have at least a few of these weakly password-protected systems lying around. It goes without saying that these systems need to be found and mitigated. It can be a single-person project or a team endeavor.

First, search for and locate all the appliances, computer devices, and network-connected SCADA systems in your environment. Don't forget to include your routers, wireless access points, badge machines, network-connected copy machines, and dusty SCADA control systems.

Next, locate and use one of the many big lists of default passwords available on the Internet. My favorites are available through Phenoelit, Default Password, and CIRT. If you have a device or system that isn't listed, you can always try performing an Internet search using the product's name or model number, along with the search terms "default password." They work most of the time.

Then, using the vendor's default logon names and passwords, try each device in your environment. Each item still using a default password should be marked for immediate change (if allowed by the vendor) and altered after going through change control authorization.

Devices with hard-coded, unchangeable passwords should be considered for removal, especially from the network or from Internet connectivity. If the product is still supported, contact the vendor and ask for product updates to correct the situation. If the product is no longer supported or the vendor doesn't want to make the necessary changes, consider deprovisioning the device. If a hacker took complete control of the system, how much damage could he or she cause? Is the device's function worth the risk?

If you can't remove or secure the device, make sure physical and logical access is strictly controlled. Allowing any Internet access to a SCADA device is high risk, but permitting access to one with a weak password is unforgivable. A last-ditch effort, if you must keep it on the network, might be to filter out incoming weak password strings if you can get a proxy or filtering machine in between the rest of the network and the problem device.

Even your properly protected SCADA devices should be re-examined. A complex 8-character password is no longer considered secure in today's world of cloud computing and graphic-CPU computing. Today, complex 12-character passwords constitute the bare minimum. Network traffic streams containing authentication information must be encrypted and authenticated. Plaintext-passing protocols, such as Telnet and 3270 protocols, are no longer acceptable.

SCADA systems are under attack like never before, and administrators can no longer count on obscurity as their greatest protector.

This story, "Doomed by default passwords," was originally published at Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at For the latest business technology news, follow on Twitter.

Copyright © 2011 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Make your voice heard. Share your experience in CSO's Security Priorities Study.