U.S. Water Utilities and Poor Passwords
Last week (Nov 18) a hacker calling himself Pr0f demonstrated how he could easily hack into a SCADA system controlling the water utility at the City of South Houston. Later in an interview with ThreatPost he explained how South Houston had an instance of the Siemens Simatic Human Machine Interface (HMI) software that was accessible from the Internet. What was particularly problematic was that this connection was protected with an easy-to-hack, three character password.
Now while Pr0f has been obviously following the latest in hacking techniques, it is clear that the team at the South Houston Water Utility is not staying current with even the most basic guidelines on good security passwords. Here are my thoughts on passwords, and some suggestions on dealing with a very imperfect security mechanism.
Passwords Plus Humans Equals Poor Security
Passwords are a bad idea on many levels, starting with the fact that expecting people to remember strong passwords simply defies all understanding of human behavior. As Michael Schrage outlined in his MIT Technology Review article, "The Password Is Fayleyure" (March 2005, see download at the end of this article), passwords “perversely inspire abuse, misuse, and criminal mischief by deliberately making users the weakest link in the security chain.” Basically, we have chosen a technology that is almost impossible for humans to manage or remember, but trivial for computers to crack, and then called it security.
Numerous studies have shown that when faced with the difficulty of remembering “strong” passwords, people routinely pick simple passwords that are found in dictionaries and susceptible to brute force attacks. Furthermore, they use the same passwords over and over again, so that the successful guess of a single password means that numerous other devices can be exploited.
The situation in process control environments is even worse. Instead of one person having to remember a password to access a personal workstation, SCADA equipment access is often shared with an entire group, resulting in even simpler passwords that are common to multiple devices.
Password Reuse and SCADA Systems Equals even Worse Security
This reuse of passwords has nasty consequences when combined with the many SCADA products that have broken password systems – check many PLC or RTU systems and you will find the passwords being sent in plain text over the network.
During an analysis of an oil refinery, I discovered that the PLC password that was trivial to capture off the network was the same one that the controls group used for accessing more robust systems like Windows servers. Once I had the PLC password, I could happily log into the servers as an administrator. At least if they had stuck with the PLC manufacturer’s default passwords, I would have had to work harder to crack the server’s passwords.
Picking Memorable yet Effective Passwords
Since we are stuck using passwords, I do have a few thoughts on how to make the best out of a bad situation. First, there is good guidance on how to pick memorable, yet more difficult to crack passwords. One of my favorites is from the paper "Password Memorability and Security: Empirical Results.” The authors showed that security can be significantly improved if administrators provide explicit guidance on how a password should be chosen. They also provide examples on developing that guidance and my favorite is the following (paraphrased from the paper):
“Choosing a good password is critical to maintaining the security of this system. To construct a good password, create a simple sentence of 8 or more words and choose letters from the words to make up a password. You might take the initial or final letters; you should put some letters in upper case to make the password harder to guess; and at least one number and special character should be inserted as well.
An example is the phrase "It's 12 noon and I am hungry" which can be used to create the password "I's12n&Iah". Under no circumstances should the password contain a word that could be found in a dictionary, is a product or area name or be made up of only letters or numbers.”
Don’t Use the Same Password for Everything
It is also critical to make sure passwords used for weak systems (like PLCs) or weak protocols (like FTP or HTTP) are not the same as the passwords used for stronger systems. One client rated their control systems in terms of password robustness and then had “throw-away” passwords for systems that sent passwords over the network in plain text.
Frankly, I think passwords as a whole are a complete security disaster – unfortunately one that we are going to have to live with for a few years to come. Since we are stuck with them, I would like to hear what real SCADA and process control engineers are doing about their passwords on the plant floor. Send your ideas and questions and together we will make our systems more secure.
Related Content to Download
Note: you need to be a member of tofinosecurity.com and logged in to have access to the document below. Register here to become a member.