back to article Insecure SCADA kit has hidden factory account, password

Cylink’s Justin Clarke has tagged another SCADA maker for default insecurity, discovering a hidden factory account – complete with hard-coded password – in switch management software made by Belden-owned GarrettCom. As the Department of Homeland Security's ICS-CERT advisory (PDF) notes, the company’s Magnum MNS-6K management …

COMMENTS

This topic is closed for new posts.
  1. Charles Manning

    Backdoors have a reason

    Pretty much any SCADA kit or such needs at least some sort of backdoor to allow service people to gain access for various reasons including the most common:

    The dude who knew all the passwords died/was fired/ is on holiday and we need to access the kit to change something. Service personnel are called in to save the day.

    The trick though is to limit that access to requiring physical presence (eg. holding a service button) and not something that can be hacked from afar.

    Of course SCADA kit should always be on a private network (VPN at least).

    1. frank ly

      Re: Backdoors have a reason

      "The dude who knew all the passwords died ....."

      That's all down to adequate and well maintained company procedures and records, which are often inadequate even if they've been thought about.

      Good call on the 'service button'.

      1. Wize

        Re: Backdoors have a reason

        "Good call on the 'service button'."

        Been doing that kind of thing long before the days of the internet.

        Dial up access to site with full control of SCADA and PLC. To prevent anyone guessing the number, the modem was left disconnected and only plugged in when site requested help and we told them to plug/unplug it.

    2. John H Woods Silver badge

      Re: Backdoors have a reason

      Service button -- you should have patented that :-)

      1. annodomini2
        Coat

        Re: Backdoors have a reason

        "Service button -- you should have patented that :-)"

        Coming to an Apple patent and i-product soon.

        Exert added to warranty:

        "Use of service button by non-certified apple personnel results in void of warranty"

      2. Fatman
        Flame

        Re: Service button -- you should have patented that :-)

        I already have!!!

        Now to start IP infringement lawsuits (like Apple).

        </snark>

    3. keith.nicholas

      Re: Backdoors have a reason

      often they are on their own private network, but then you'll get a PC that needs to bridge two networks so it has access to both, and potential holes are created.

    4. Wize

      Re: Backdoors have a reason

      "Of course SCADA kit should always be on a private network (VPN at least)."

      If its on a VPN, doesn't that mean its on something connected to the outside world and therefore a possible attack vector via the machines bridging the gap between VPN and the rest of the internet?

      There are many who say they SCADA systems should not be connected to the internet in any way.

      However...

      - Customers want remote access to unmanned sites.

      - Customers want to pull production figures from the system and plot real time charts that they can send to their sales office so they don't oversell what is being produced.

      - Customers want 24 hour support on systems from the system integrator, which can include getting them logged into the system remotely as soon as possible, rather than a 2 hour drive or even a chopper flight.

      You could argue the same about keeping the bank's computers off the internet. But what about home banking? What about links from cash machines?

  2. Anonymous Coward
    Anonymous Coward

    SCADA default insecurity

    Why don't they run these SCADA units over a VPN circuit run on embedded hardware?

    1. Anonymous Coward
      Facepalm

      Re: SCADA default insecurity

      Would all five of you please enumerate the reasons you modded down the preceding comment?

  3. Anonymous Coward
    Anonymous Coward

    Hi Richard, just a friendly heads-up...

    You might just want to re-read that last paragraph as I think you left a few spurious words you were playing with lying around. At the moment it doesn't really make sense!

  4. Anonymous Coward
    Anonymous Coward

    Reminds of the FSE from DEC (a long time ago)

    Bloke came the wrong day to do some work on our VAXen and was hopping mad that the service admin account (Login field, password service) was not working. (It was removed.)

This topic is closed for new posts.

Other stories you might like