Old Habits Die Hard: Industrial Controls, Credential Sharing and Password Spraying

January 15, 2020 | by Jason Kent

Industrial Control

For years, the security implications related to Industrial Control Systems, SCADA and Industrial Internet of Things have been treated as a low(er) priority because these systems were closed, embedded deep in the shop floor, and had minimal network connectivity. Today, these systems have network connectivity, and are accessible from the web, but the security stance remains largely unchanged. Recent joint research with a channel partner specializing in ICS in manufacturing environments confirms that security risks exist either through system vulnerabilities or via some other attack vector such as password spraying.

Imagine you are building an assembly line and you need to feed a process with parts that will come together as a sub-assembly. Computers do a great job of understanding if the right number of parts are available while Programmable Logic Circuits (PLCs) can be used to automate repetitive, singular tasks. In our assembly line, we are putting together Wheels and Tires that ultimately will be mounted on a car that hasn’t been made yet. As the tire moves down the assembly line it must be placed in the correct alignment to be put on the wheel. A camera takes a picture of the tire as it moves along and if the tire isn’t oriented correctly for the next machine to pick it up, a subprocess flips the tire over or turns it to the right orientation. This creates efficiency for the person loading the tires onto the assembly line because they don’t have to manipulate the tire, just get it from the truck onto the conveyer belt. These systems are simple and not much thought goes into them once they are in place. Eventually, however, someone will want to find another efficiency in this process.

Enter the connected world of data gathering for Industrial Controls. How many times has the tire been flipped? Is there some way to impact the speed of the downstream process if the tire was placed in the correct orientation when put on the truck? These are the questions that manufacturers iterate through to find incremental yet impactful efficiency gains. ICS manufacturers want to help and so, they have created modules that connect ICS components to the IT infrastructure. Slap in an ethernet module, run a cable to the closest switch and boom, online ICS. Connectivity, in this case, is both a blessing and a curse. The blessing is that we can now program the ICS logic for the PLCs, gather data on how many times it does its job, to better understand where efficiencies can be created. The curse is that the IP connected devices are now more visible to the outside world, specifically the bad actors.

Just because we can connect these devices to the web, does not mean one must connect them. Once connected, security for devices that ignored the concept in the past is now top of mind. Prior to connecting our ICS to the Internet, we would physically connect to it with a laptop to change the logic. This meant that a bad actor would have to have the technology but also the physical access to the systems they want to change. Now we have created a low-cost mechanism that allows for changes the logic on the fly but, we have increased availability of the system to a bad actor as well.

Old Habits Die Hard

The next phase of logic programming and reading sensor input was an interface between the humans and the machine was usually a dedicated device called an HMI (Human Machine Interface), basically a small keypad or touch screen. If used at all, authentication was usually a username and password that was shared or known by every person on the manufacturing floor and often, they were the default credentials when the system was installed. Again, these systems have been put on the internet and for simplicity’s sake, use the same credentials. With the average life of around 20 years, these systems came online with an immediate security debt that will be around for a long time.

Now that we have them plugged in, the HMIs aren’t as important. There isn’t a need to buy the HMI modules if you can just connect via a web browser. Many of the more modern ICS systems are ditching the HMI panel for a centralized control that is “online” and can be accessed from anywhere. Want to guess what the usernames and passwords are now? Our research shows that old habits die hard – customers still prefer having the same credentials as for all the users, making it easier for everyone to remember. Password reuse has been in the news quite a bit lately, a security best practice is to use a different password for each site. Credential sharing of both the username and password leads to the elimination of a control that is put in place to ensure the security of the systems and potentially the safety of the manufacturing floor. Password spraying techniques are certain to work in ICS environments and connecting them to the Internet means anyone could execute password spraying attacks.

Keep in mind, these are the same types of systems and controls that are used in critical infrastructure. Logic controllers, dependency driven activity, all that assumes the data take in is good and the action can be taken regarding the input. As we look at possible attacks here we can easily see that having the same authentication credentials as being right next to the systems, means anything can be changed remotely if the attacker has the password. The first phase of many of these attacks is to just try username and password combinations that will certainly work, or in the case of Mirai, the BOTs can just try the few they know will work. If Iranian driven BOTs are turned onto critical infrastructure, that has a common username and password and was never intended to be put on the Internet, it is possible simple password spraying is all they will need. We don’t want a group of attackers finding flaws on our onshore nuclear power generation sites, nor do we want them causing problems really anywhere.

Whether the system is simple, like in our tire flipping example, or more complex systems like our critical infrastructure, the need for better security is obvious. If the machines aren’t acting safely, are causing delays or over-consuming materials, the efficiency of the automation is working against the manufacturer and can cause severe problems that may not be noticed for weeks or months. When things are going well, we tend to not peer into the darkness.

During the month of January, we will be putting together a lab with the latest technology available and we will be digging into ICS systems, SCADA and Industrial Internet of Things components to look at what may or may not work from a vulnerability exposure and exploit standpoint. Stay tuned for the results of our research and what steps can be taken to secure your ICS and SCADA environments.

Jason Kent

Jason Kent

Hacker in Residence

Additional Resources

New Research Discovers More Than 30% of All Malicious Attacks Target Shadow APIs. Learn more Arrow icon