U.S. Water Utilities and Poor Passwords

Last week (Nov 18) a hacker calling himself Pr0f demonstrated how he could easily hack into a SCADA system controlling the water utility at the City of South Houston. Later in an interview with ThreatPost he explained how South Houston had an instance of the Siemens Simatic Human Machine Interface (HMI) software that was accessible from the Internet. What was particularly problematic was that this connection was protected with an easy-to-hack, three character password.

Now while Pr0f has been obviously following the latest in hacking techniques, it is clear that the team at the South Houston Water Utility is not staying current with even the most basic guidelines on good security passwords. Here are my thoughts on passwords, and some suggestions on dealing with a very imperfect security mechanism.

Passwords Plus Humans Equals Poor Security

Passwords are a bad idea on many levels, starting with the fact that expecting people to remember strong passwords simply defies all understanding of human behavior. As Michael Schrage outlined in his MIT Technology Review article, "The Password Is Fayleyure" (March 2005, see download at the end of this article), passwords “perversely inspire abuse, misuse, and criminal mischief by deliberately making users the weakest link in the security chain.” Basically, we have chosen a technology that is almost impossible for humans to manage or remember, but trivial for computers to crack, and then called it security.

Numerous studies have shown that when faced with the difficulty of remembering “strong” passwords, people routinely pick simple passwords that are found in dictionaries and susceptible to brute force attacks. Furthermore, they use the same passwords over and over again, so that the successful guess of a single password means that numerous other devices can be exploited.

The situation in process control environments is even worse. Instead of one person having to remember a password to access a personal workstation, SCADA equipment access is often shared with an entire group, resulting in even simpler passwords that are common to multiple devices.

Password Reuse and SCADA Systems Equals even Worse Security

This reuse of passwords has nasty consequences when combined with the many SCADA products that have broken password systems – check many PLC or RTU systems and you will find the passwords being sent in plain text over the network.

During an analysis of an oil refinery, I discovered that the PLC password that was trivial to capture off the network was the same one that the controls group used for accessing more robust systems like Windows servers. Once I had the PLC password, I could happily log into the servers as an administrator. At least if they had stuck with the PLC manufacturer’s default passwords, I would have had to work harder to crack the server’s passwords.

Picking Memorable yet Effective Passwords

Since we are stuck using passwords, I do have a few thoughts on how to make the best out of a bad situation. First, there is good guidance on how to pick memorable, yet more difficult to crack passwords. One of my favorites is from the paper "Password Memorability and Security: Empirical Results.” The authors showed that security can be significantly improved if administrators provide explicit guidance on how a password should be chosen. They also provide examples on developing that guidance and my favorite is the following (paraphrased from the paper):

“Choosing a good password is critical to maintaining the security of this system. To construct a good password, create a simple sentence of 8 or more words and choose letters from the words to make up a password. You might take the initial or final letters; you should put some letters in upper case to make the password harder to guess; and at least one number and special character should be inserted as well.

An example is the phrase "It's 12 noon and I am hungry" which can be used to create the password "I's12n&Iah". Under no circumstances should the password contain a word that could be found in a dictionary, is a product or area name or be made up of only letters or numbers.”

Don’t Use the Same Password for Everything

It is also critical to make sure passwords used for weak systems (like PLCs) or weak protocols (like FTP or HTTP) are not the same as the passwords used for stronger systems. One client rated their control systems in terms of password robustness and then had “throw-away” passwords for systems that sent passwords over the network in plain text.

Frankly, I think passwords as a whole are a complete security disaster – unfortunately one that we are going to have to live with for a few years to come. Since we are stuck with them, I would like to hear what real SCADA and process control engineers are doing about their passwords on the plant floor. Send your ideas and questions and together we will make our systems more secure.

Related Content to Download

Note: you need to be a member of tofinosecurity.com and logged in to have access to the document below. Register here to become a member.

The Password Is Fayleyure

The Memorability and Security of Passwords

Related Links


 RSS Feed Subscribe to the "Practical SCADA Security" news feed



It is so frustrating - no, make that infuriating - to read again and again the accounts of critical infrastructure systems that have been compromised. I like so many wonder why these systems even need to be exposed to the internet. And I wonder whether there is any accountability for those responsible for maintaining passwords. Perhaps we would read of fewer incursions if companies established an accountability policy where passwords are determined by a minimum of two people knowledgeable in the selection of robust passwords. And when I read of incursions at any government website, I really wish heads would roll. Whatever the solution is, it likely will be based upon a multilayer approach. Maybe part of the answer will involve no one getting into a secure network from anywhere unless a human onsite verifies and authorizes the connection for the duration of that visit.

One reason I have heard stated for having simple SCADA/HMI operator passwords and never/rarely changing them (certainly not when an operator leaves, for example, as would happen in other critical IT systems) is the avoidance of risk during emergency/upset situations. At these times, the operator or similar user may need to urgently log into a BPCS/SIS HMI to perform some control/mitigating action and management does not want them wasting time searching for the "current" password. What is the way around this? Biometrics? Other? I am not sure what the answer is and would be keen to hear how others are addressing this on their facilities.

It appears to me that the real issue in this incident (and in thousands of water facility installations) is the lack of a secure Internet connection, i.e. one that would be protected by IPsec, SSL or similiar. A four-letter or five-letter password alone doesn't make the architecture secure.

Hint for all who complain about a water treatment plant being connected to the Internet: In water there are so many unmanned plants that remote access is required.

I disagree, passwords that are hard to remember are unnecessary. Use three words separated by symbols.

"It is ten times more secure to use "this is fun" as your password, than "J4fS<2"."


"Operational Necessity will invariably trump the best laid plans of the security and safety departments."

Imagine having a workforce of 80,000 crippled for 3 days because someone lost or forgot a password. (I personally witnessed this happen) Imagine not being able to shutdown an exothermic process (e.g. nuclear power plant) because they were locked out of an operator screen. (Fortunately I haven't personally seen this happen yet)

The cost of loosing operability is frequently considered to be a far greater risk to human life and other assets than breaching any protocol that is seen as a hindrance to operators and production managers.

Eric is right on the money when he says that passwords are a security disaster. They should be banned from industrial systems and replaced with inherent security measures that enhance operability instead of pissing off the people that actually have to make things run.

Hello all, I wanted to introduce myself and our event on European Smart Grid Cyber Security March 12th and 13th. We are bringing together as many industry professionals as possible to discuss these topics and I am looking to make the agenda as robust as possible.

At present I am looking for some pretty savy sponsors with ICS control solutions, as well as case studies, Academic, Government and Utility views

One topic I would like to hear more about is Control Systems Cyber Forensics..

Thank you for your consideration or referrals

No one can blame the hackers for the lapse in security that the government has failed to see. It seems that there are a lot of people out there targeting the SCADA systems for its vulnerability. Hope that the developers will role a sort of defense.

Add new comment