Saturday, September 10, 2016

Default passwords on control systems: SCADAPASS + DPE = Raise Awareness

When talking about responsible disclosure, everybody has an strong opinion. You can think publishing vulnerabilities is an irresponsible act, or you can think it is the only way of raise awareness on assets owners.
I am in the second category. As a control system Cybersecurity evangelist, I spend many time trying to show the hidden attack surface many organizations have, and the lack of visibility on the risks they are facing by managing their control systems totally apart from the Cybersecurity management framework other systems are in.
SAP servers, File servers, switches and firewalls on the corporate network have security policies, regular audits and security log and monitoring. Not doing that should be considered "irresponsible" and negligent.
The same corporation is using CCTV surveillance, access control systems, HVAC, fire detection system, lights and energy management systems and many other critical support systems, deployed by poorly security practices trained control integrators.  And now, both networks are connected. (And some times, Hyper-connected)

One of the worst (and common) practices you can find in control networks is installing by default. It means default usernames and passwords works in many devices inside the control network.

On December 2015, SCADA StrangeLove put in place a Default password publishing initiative, called SCADAPASS to rise awareness on control assets owners. Apart from your feelings or opinion on this, impact was huge in the ICS Cybersecurity world and it was included on Metasploit 4.11.6 .

Recently I remembered DPE project from ToolsWatch , and after getting familiar with, I decided to integrate SCADA StrangeLove results on the XML db.
I wrote a quick-piggy script to convert CSV to DPE XML Schema and these are my results. All new entries are in the "sacda" type (-t scada).

As we love numbers, this is a summary from my work:
  • About 47 new pure ICS vendors on DB (Siemens and Advantech were already there):
  • 125 new elements (Without CPE, nor CVE since this is a harder process as you may know), but with their control role or description on the network. The list is too long to publish here.
  • 203 new default usernames and passwords. Some devices has more than 50 default usernames !!!
I have contacted with the DPE development team, as I think it can be very useful to anyone in charge of assessing or managing control networks, but most important for assets owners of such networks.

New ICS DPE file can be downloaded here