Patrick Coyle posted over the weekend that ICS-CERT has updated their “Internet-connected control system” bulletin, first posted in January 2012.
The update points out additional control systems vendors and rightly shows the concern that default passwords are present on many control systems.
I have two critiques of the alert. First, default passwords are a vulnerability to me. Consider this: when you install and configure a Windows system, what is the default username/password? How about Linux? Solaris? AIX? The answer is that there is often a default username, but part of the installation and configuration process is to set a new password. I find it odd that setting up a server to host, say, a social networking/new media site is inherently more secure than setting up a controller for potentially critical infrastructure.
Another issue that the update doesn’t address is that a huge problem with tracking down owners is that many internet-facing controllers are in IP blocks that belong to ISPs. Contacting an ISP about a client’s vulnerable system rarely gets anywhere in the United States — ISPs have no obligation to inform the owner nor to tell a reporter who the owner of a vulnerable system is. This is why Patrick’s recommendation of getting this document in as many hands as possible is so important.
Digital Bond inquired about this a few months ago and we had a conference call with DHS and ICS-CERT. Their answer at the time was more or less what I expected. Their strategy right now is to send an officially-sounding contact with the ISP. This works in some instances, but not in others. Quite a few of the controllers that I reported since January are still accessible on the Internet. Unfortunately their hands are tied on this — there is no legal vehicle for ICS-CERT/DHS to compel an ISP to either pass the information along nor to provide the owner information.
Some vendors are really great about handling the “Internet-connected” problem. One in particular has been great, but they’ve asked that I not mention who they are…their controllers, though, allow unauthenticated reading of their serial number, and they are able to track down the owner and actually call the owner and let them know the danger of leaving their product on the internet. Sadly it doesn’t always work even then, but their track record has been better than I could hope for, given the legal climate.
Other vendors tend to ignore the problem, claiming that internet-facing controllers are their customer’s problem.
If you’re an ISP that gets a cold-call or an email from ICS-CERT, please take it seriously. Your customer will thank you in the end.