SCADA Passwords

February 2016

Technology Advisory SCADA Default Passwords Are Publicly Listed

What has changed and why is it important?

A group of researchers has made public a database, dubbed “SCADAPASS,” containing default credentials for more than 100 industrial control system (ICS) products belonging to various top vendors.

The research team—known as SCADA StrangeLove—published the list on GitHub, which includes the product and vendor names; device type; default username and password; port and protocol; as well as a link to the source of the information. Examples of affected devices and vendors were recently reported by SecurityWeek.

SCADA StrangeLove researchers said they were able to obtain the default credentials from open passwords lists and documentation from vendors.

The researchers claimed to have also compiled a lengthy list of hardcoded passwords, which they do not plan to release in adherence to responsible disclosure guidelines.

By publishing the database, the group of researchers hopes to change the mindset of ICS vendors.

SCADA StrangeLove researcher Sergey Gordeychik says vendors should not leave security in the hands of control system operators, who usually are not aware of all the features on their devices.

What do cooperatives need to know about it?

The passwords are not used by the SCADA system when a request for data or a request to issue a control is sent from the SCADA Master Station. However, the passwords for control devices are used to change operating settings and communications settings either through a Human Machine Interface (HMI) on the front panel of a control device or by connecting to the device using manufacture software.

Legacy equipment – generally without a built-in Ethernet port – normally use two ports for communications: one for the SCADA system and one for configuring the device. Usually when using legacy equipment, a computer with the manufacturer’s software is connected to the control device through a seral or USB cable; therefore, requiring physical access to the control device.

However, devices that have Ethernet connections often use the same Ethernet port for both configuring the device and SCADA functionality. With this in mind, if someone had access to the manufacture’s software and the Ethernet LAN or WAN that the control

February 2016

device is on, they could potentially access the device if the default settings have not been changed.

If someone were able to login to the control device, he/she could change configuration settings. By changing the configuration setting, the control device will not operate within desired parameters to provide both a safe and reliable system. This is a concern for distribution, transmission and generation level systems alike. Some of these changes may show up quickly, like a voltage regulator being configured to operate at a higher or lower voltage than desired; however, other settings may not show up until a catastrophic event occurs. For example, if the settings for a Recloser pickup have been increased or a curve changed, the Lineman working on the system may no longer be wearing appropriate personal protective equipment (PPE) in the event of an arc-flash.

In addition to changing the configuration settings, the intruder could also operate the control device. By operating the control device, the electrical system could be forced to operate outside of desired parameters. For example, the voltage output of a voltage regulator could be too low or too high, or an interrupting device like a Recloser could be opened causing an outage to consumers.

Additionally, the intruder could change the settings for the communications. For example, the device address could be changed, which would prevent the device from being able to communicate with the SCADA Master Station – as well as cause conflicts with another control device on the same network, causing the two devices not to be able to communicate to the SCADA Master Station.

What do cooperatives need to do about it?

It is critical that cooperatives check the Admin Password defaults to ensure that they have been modified, otherwise those default passwords are on the web in a .CSV. If the passwords have not been modified, it is strongly suggested that the Cooperative change the passwords. In addition, best business practices should be followed for routine changing of passwords to help ensure cyber security.

NRECA provides resources on cyber security, including a Guide to Developing a Risk Mitigation and Cyber Security Plan. These resources can help members take measures to ensure effective cyber security on your systems. Please visit our cyber security website for more information.

Contacts for Questions

Thomas Gwinn, NRECA Principal Engineer, [email protected]

Tony Thomas, NRECA Principal Engineer, [email protected]