Security experts from SCADA StrangeLove group disclosed SCADAPASS, a list of default credentials for ICS and SCADA systems.
Recently I wrote about the SCADA StrangeLove research team reporting their study on the level of cyber security implemented in modern railroad systems .
Now the SCADA StrangeLove group has published a list of default credentials, dubbed “SCADAPASS,” associated with industrial control system (ICS) products from various vendors.
The list includes default credentials for more than 100 products, and experts hope that the security community will add new entries to the database in the incoming months. Each record of the database includes the name of the affected ICS/SCADA product, the type of device, the vendor’s name, default credentials (usernames and passwords), the port and protocol over which the device can be accessed, and the source of the information.
The SCADAPASS list includes default credentials for a number of industrial devices such as wireless gateways, routers, programmable logic controllers (PLC), servers and network modules.
The default passwords have been obtained from open sources which include documentation from the vendor and other reports from various industries.
The devices are manufactured by the most important vendors for industrial components, including ABB, B&B Electronics, Digi, Emerson, eWON, Hirschmann, Moxa, Netcomm Wireless, Rockwell Automation /Allen-Bradley, Samsung, Schneider Electric, Phoenix Contact, Tridium, Wago, Siemens and Yokogawa.
According to SecurityWeek, the SCADA StrangeLove group has also compiled a list containing hardcoded passwords of many industrial devices. The experts will not disclose this second list to avoid threat actors will exploit it in cyber attacks in the wild.
These hardcoded passwords can only be removed by applying a patch from the vendor.
The availability of a list of default passwords for SCADA systems represents a serious issue and experts published it to sensibilize the operators of industrial systems and ICS vendors.
Security experts speculate ICS vendors should implement security by design, implementing security controls to mitigate cyber threats.