Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Prevalence and Impact of Password Exposure Vulnerabilities in ICS/OT 

Analysis and insights on the prevalence and impact of password exposure vulnerabilities in ICS and other OT products.

ICS vulnerabilities

Vulnerabilities related to the exposure of passwords can pose a significant risk to industrial control systems (ICS) and other types of operational technology (OT). SecurityWeek spoke with multiple experts about the prevalence of such flaws and their potential impact.

Threat actors exploiting weak or default passwords to conduct attacks aimed at ICS systems are a reality. In late 2023, hackers linked to the Iranian government hijacked ICS at a municipal water authority in Pennsylvania and water utilities in multiple other states around the US. 

In response, the cybersecurity agency CISA urged device manufacturers to stop relying on customers to change default passwords.

In addition to default passwords, software vulnerabilities that can allow attackers to obtain a product’s password can also pose a significant risk to organizations. In recent weeks, CISA published at least three advisories describing security holes related to the exposure of passwords.

One example is related to the Westermo EDW-100 industrial serial-to-Ethernet converter, in which Nicolai Grødum and Sofia Lindqvist of PwC Norway discovered two critical password-related vulnerabilities. 

The researchers found that the device’s firmware package contains a hardcoded root username and password combination that can be easily extracted and cannot be changed. They also found that an unauthenticated attacker can download a configuration file that contains a username and password in clear text. 

Another recent CISA advisory describes a high-severity vulnerability in Unitronics Vision Legacy series PLCs that allows a remote, unauthenticated attacker to obtain the device’s ‘information mode’ password in plain text. This issue was discovered by Reid Wightman of industrial cybersecurity firm Dragos.

It’s worth noting that Unitronics PLCs — through the exploitation of default passwords — were targeted in the recent Iran-linked attacks aimed at water facilities. 

Advertisement. Scroll to continue reading.

The third CISA advisory describes the findings of researchers Patrick K. Sheehan, Grant Hume, and Donald Macary, who discovered two medium-severity issues in the Campbell Scientific CSI Web Server. Campbell Scientific provides rugged data loggers and data acquisition systems for the environmental, infrastructure, and renewable energy sectors.

One of the issues found by the researchers in the Campbell Scientific product is related to web authentication credentials being stored in a file with a specific name. The passwords are stored in a weakly encoded format and they could be obtained by attackers in certain scenarios.

These vendors have released patches and/or mitigations for these vulnerabilities, but password exposure vulnerabilities are a widespread issue that could impact many ICS/OT products and the organizations that use them. 

SecurityWeek has reached out to these and other experts for insights on the prevalence of password exposure in ICS and OT products, as well as the potential risks and impact associated with these types of vulnerabilities.

The prevalence of password vulnerabilities in ICS and OT

The PwC Norway researchers discovered a password exposed in the firmware, but Grødum, who is head of the company’s Red Team, noted that there are several types of vulnerabilities that can indirectly expose passwords, such as local file or memory read vulnerabilities and insecure network authentication methods. In addition, old servers running OT can be left with remote management services accessible — for instance, exposing IPMI 2.0 password hashes. 

“I’m never shocked when we find something like this,” Grødum said. “Many ICS/OT systems were designed at a time when cybersecurity was not as significant a concern as it is today. As ICS/OT systems are typically designed for long-term use, and little or no external connectivity, many of these legacy systems are still in operation today, making them vulnerable to modern threats.”

“Unfortunately, in my experience, password exposure is much more common when caused by poor password management practices, such as using weak or default passwords or sharing or writing passwords in a text file or making them widely available in a documentation system,” Grødum added. “On a positive note these are quite preventable.”

Wightman said Dragos has identified password exposure vulnerabilities in other products as well, not just in ones made by Unitronics. They have found flaws that can allow unauthenticated users or users with low privileges to retrieve credentials.

“There is a positive here — more ICS equipment actually supports authentication,” Wightman said. “The negative is that we’re seeing a lot of problems with the implementations of authentication. So, it’s a step in the right direction at least, and hopefully we can find and squash these sorts of password-retrieval issues over time.”

John Gallagher, VP of Viakoo Labs at enterprise IoT security firm Viakoo, pointed out that the problem with IoT, ICS and OT systems is that they are often long-lived and they only get replaced when there is a failure, unlike in IT, where there is often a regular technology refresh.

“Hard coded passwords, default passwords, and easily obtained passwords remain an issue because previous generations of systems did not protect these credentials very well,” Gallagher said. “Another aspect of IoT/OT/ICS systems is that the password for a device can also exist within the application that is controlling the devices (IoT systems tend to be a tightly-coupled environment of devices and applications managing devices); this means that both the devices and applications have the potential to reveal password credentials.”

The risks and impact of password exposure vulnerabilities

The attacks seen in the wild have demonstrated how dangerous these types of vulnerabilities can be. 

Casey Ellis, founder and chief strategy officer at bug bounty platform Bugcrowd, pointed out that the criticality of these types of flaws depends on the level of privilege associated with the exposed password. 

“An attacker would be able to take control of the ICS/SCADA endpoint, effectively gaining physical access,” Ellis said.

Gallagher added, “In cases where the root-level password is hard coded and exposed the potential for disaster is enormous (think planting of deepfakes, control of industrial systems, lateral movement to other systems, etc). Root-level or super-user access passwords are clearly the most dangerous in the hands of a threat actor, but even more benign levels of access (e.g. reporting) can expose sensitive data.”

Grødum provided a more specific example of the potential impact resulting from the exploitation of password exposure vulnerabilities.

“Unless there are bulletproof safety systems in place, a single device can take down an entire plant, possibly disrupting a multi-plant production pipeline which can cause significant damage to an entire organization, or even society in the case of critical infrastructure,” the expert noted.

“In some cases, getting access to operating system-level accounts on a device can also provide a threat actor with a good platform for moving laterally,” Grødum added. “Typically, such devices are not monitored, and the use of malware on these to target nearby devices must be detected at the network level. If the organization is not on top of their password management practices, password reuse will significantly expand the blast radius of a password disclosure attack.” 

Another aspect highlighted by Grødum is related to threat actors typically being prevented from having a constantly available control channel from the outside into a network with ICS/OT devices. 

“The most resourceful adversaries will be able to compensate for this with planning, intelligence and automation of complicated and adaptive attacks, developed for months and tested in their lab. Zero-click attacks such as on-demand password disclosure or hard-coded unchangeable root passwords can prove reliable building blocks in a sophisticated attack chain,” Grødum explained.

Addressing password exposure vulnerabilities in ICS and OT

As for what organizations can do to address issues related to password exposure, Jose Seara, CEO and founder at DeNexus, a provider of cyber risk quantification and management for industrial organizations, pointed out that password management is one of the known weaknesses in ICS/OT environments that can be easy to deal with and brings significant improvements to a company’s risk posture. 

“Encryption, VPN, changing default passwords, and, of course, multi-factor authentication are all security best practices that are imperative to deploy in industrial environments,” Seara said. “CISOs can justify these investments by running a cyber risk quantification exercise that translates technical cybersecurity data into business metrics. Such business-level analysis is also usable for compliance, for governance reporting to the board and even optimization of cyber insurance coverage.”

In the case of product vendors, Grødum advises them to continue releasing security updates for devices that are still in use.

“Even if no new features are planned and the devices have been superseded, their customers rely on the devices, possibly irreplaceably integrated into a process with a very long lifespan. I’d even go as far and urge them to take on their responsibility for stabilizing society and perform pentests of any devices still in sale – to meet today’s cyber protection requirements,” the expert said. 

“Today, we perform multiple pentests of OT devices, paid for by their customers who are working to reduce risk before putting devices in production. They simply do not trust the ICS/OT vendors have the same standards as them when it comes to cyber security,” he added. “An important principle when securing ICS/OT systems is ‘defense in depth’. For a vulnerable device this does not translate to ‘add a firewall’. It means ‘add a firewall, fix the vulnerability, add some logging and detection and think about what more you can do’.”

Grødum also advises vendors to ensure that vulnerabilities found in their products can easily be reported, and avoid trying to hide security flaws or downplay their impact. 

“Not only can such behavior leave critical infrastructure at risk, without the vendor’s customers being notified and given a chance to act, but it also does not acknowledge the positive impact the security researchers who report vulnerabilities provide. Their responsible disclosures reduce the world’s exposure to zero-days,” he explained. 

Grødum also has recommendations for companies that design plants or processes with products from multiple vendors. He believes they should ensure that all the devices they deploy will be able to meet security requirements for as long as the system is expected to be in use. 

Related: Cisco Finds 15 Vulnerabilities in AutomationDirect PLCs

Related: Rockwell Automation Urges Customers to Disconnect ICS From Internet

Related: Critical Vulnerability in Honeywell Virtual Controller Allows Remote Code Execution

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights