Passwords: Real Bad Security (But We Have To Live With Them)
One of the best things about the whole Stuxnet worm fiasco is that it has brought one of the biggest security issues – the use and abuse of passwords – into focus. Currently most of the discussion has focused on Siemens’ unfortunate use of fixed default passwords in their products (for example, see Joe Weiss’ post on http://news.infracritical.com/pipermail/scadasec/2010-August/001756.html). Frankly, I think passwords as a whole are a complete security disaster – unfortunately one that we are going to have to live with for a few years to come.
Passwords are a bad idea on many levels, starting with the fact that expecting people to remember strong passwords simply defies all understanding of human behavior. As Michael Schrage outlined in his MIT Technology Review article "The Password Is Fayleyure" (March 2005), passwords “perversely inspire abuse, misuse, and criminal mischief by deliberately making users the weakest link in the security chain.” Basically, we have chosen a technology that is almost impossible for humans to manage or remember, but trivial for computers to crack and then called it security.
Numerous studies have shown that when faced with the difficulty of remembering “strong” passwords, people routinely pick simple passwords that are found in dictionaries and susceptible to brute force attacks. Furthermore, they use the same passwords over and over again, so that the successful guess of a single password means that numerous other devices can be exploited. The situation in process control environments is even worse. Instead of one person having to remember a password to access a personal workstation, SCADA equipment access is often shared with an entire group, resulting in even simpler passwords that are common to multiple devices.
This reuse of passwords has nasty consequences when combined with the many SCADA products that have broken password systems – check many PLC or RTU systems and you will find the passwords being sent in plain text over the network. During an analysis of an oil refinery, I discovered that the PLC password that was trivial to capture off the network was the same one that the controls group used for accessing more robust systems like Windows servers. Once I had the PLC password, I could happily log into the servers as an administrator. At least if they had stuck with the PLC manufacturer’s default passwords, I would have had to work harder to crack the server’s passwords.
Since we are stuck using passwords, I do have a few thoughts on how to make the best out of a bad situation. First, there is good guidance on how to pick memorable, yet more difficult to crack passwords. One of my favorites is from the paper "Password Memorability and Security: Empirical Results.” The authors showed that security can be significantly improved if administrators provide explicit guidance on how a password should be chosen. They also provide examples on developing that guidance and my favorite is the following (paraphrased from the paper):
“Choosing a good password is critical to maintaining the security of this system. To construct a good password, create a simple sentence of 8 or more words and choose letters from the words to make up a password. You might take the initial or final letters; you should put some letters in upper case to make the password harder to guess; and at least one number and special character should be inserted as well. An example is the phrase "It's 12 noon and I am hungry" which can be used to create the password "I's12n&Iah". Under no circumstances should the password contain a word that could be found in a dictionary, is a product or area name or be made up of only letters or numbers.”
It is also critical to make sure passwords used for weak systems (like PLCs) or weak protocols (like FTP or HTTP) are not the same as the passwords used for stronger systems. One client rated their control systems in terms of password robustness and then had “throw-away” passwords for systems that sent passwords over the network in plain text.
In future blogs I will discuss technologies like password vaults for managing passwords, but I also would like to hear what real SCADA and process control engineers are doing about their passwords on the plant floor. Send your ideas and questions and together we will make our systems more secure.
Add new comment