Feeds

back to article Insecure SCADA kit has hidden factory account, password

Cylink’s Justin Clarke has tagged another SCADA maker for default insecurity, discovering a hidden factory account – complete with hard-coded password – in switch management software made by Belden-owned GarrettCom. As the Department of Homeland Security's ICS-CERT advisory (PDF) notes, the company’s Magnum MNS-6K management …

COMMENTS

This topic is closed for new posts.
Silver badge

Backdoors have a reason

Pretty much any SCADA kit or such needs at least some sort of backdoor to allow service people to gain access for various reasons including the most common:

The dude who knew all the passwords died/was fired/ is on holiday and we need to access the kit to change something. Service personnel are called in to save the day.

The trick though is to limit that access to requiring physical presence (eg. holding a service button) and not something that can be hacked from afar.

Of course SCADA kit should always be on a private network (VPN at least).

4
4
Silver badge

Re: Backdoors have a reason

"The dude who knew all the passwords died ....."

That's all down to adequate and well maintained company procedures and records, which are often inadequate even if they've been thought about.

Good call on the 'service button'.

6
0
Silver badge

Re: Backdoors have a reason

Service button -- you should have patented that :-)

2
0
Coat

Re: Backdoors have a reason

"Service button -- you should have patented that :-)"

Coming to an Apple patent and i-product soon.

Exert added to warranty:

"Use of service button by non-certified apple personnel results in void of warranty"

1
1

Re: Backdoors have a reason

often they are on their own private network, but then you'll get a PC that needs to bridge two networks so it has access to both, and potential holes are created.

4
0
Silver badge

Re: Backdoors have a reason

"Of course SCADA kit should always be on a private network (VPN at least)."

If its on a VPN, doesn't that mean its on something connected to the outside world and therefore a possible attack vector via the machines bridging the gap between VPN and the rest of the internet?

There are many who say they SCADA systems should not be connected to the internet in any way.

However...

- Customers want remote access to unmanned sites.

- Customers want to pull production figures from the system and plot real time charts that they can send to their sales office so they don't oversell what is being produced.

- Customers want 24 hour support on systems from the system integrator, which can include getting them logged into the system remotely as soon as possible, rather than a 2 hour drive or even a chopper flight.

You could argue the same about keeping the bank's computers off the internet. But what about home banking? What about links from cash machines?

3
0
Silver badge

Re: Backdoors have a reason

"Good call on the 'service button'."

Been doing that kind of thing long before the days of the internet.

Dial up access to site with full control of SCADA and PLC. To prevent anyone guessing the number, the modem was left disconnected and only plugged in when site requested help and we told them to plug/unplug it.

3
0
Bronze badge
Flame

Re: Service button -- you should have patented that :-)

I already have!!!

Now to start IP infringement lawsuits (like Apple).

</snark>

0
0
Anonymous Coward

SCADA default insecurity

Why don't they run these SCADA units over a VPN circuit run on embedded hardware?

0
5
Facepalm

Re: SCADA default insecurity

Would all five of you please enumerate the reasons you modded down the preceding comment?

0
1
Anonymous Coward

Hi Richard, just a friendly heads-up...

You might just want to re-read that last paragraph as I think you left a few spurious words you were playing with lying around. At the moment it doesn't really make sense!

0
0
Anonymous Coward

Reminds of the FSE from DEC (a long time ago)

Bloke came the wrong day to do some work on our VAXen and was hopping mad that the service admin account (Login field, password service) was not working. (It was removed.)

0
0
This topic is closed for new posts.