Changeable default passwords are not seen as vulnerabilities by ICS

Changeable default passwords are not seen as vulnerabilities by ICS: Darius Freamon, a researcher from South Carolina, reported a vulnerability in an ICS (Industrial Control System) used for Solar power generation last April. ICS-CERT, a division of the U.S. Department of Homeland Security that focuses on risk across critical infrastructure, told him that the flaw he disclosed in Solare Datensysteme wasn’t valid.

“After analyzing the installation manual, we found that though there is a default password for this device, the manual clearly tells how to change it. We consider hard-coded (unchangeable) passwords to be a vulnerability, but we do not consider documented changeable default passwords to be a vulnerability,” an email from ICS-CERT informed Freamon.

Freamon, who has submitted five different vulnerabilities this year to ICS-CERT, was understandably perplexed by the response. In his work, he told CSO that he sees default passwords all the time, and while he understands the response given to him, the problem itself remains.

“The big problem is that administrators just don’t change them,” Freamon told CSO, referring to default passwords used in critical systems.

“Even if 50% do it, [that] means there are hundreds or thousands of systems left open to the world. With all the attention on ICS and SCADA it is scary how many systems are connected to the Internet [with default credentials].”