27 November 2016
A secure web interface requires:
- Default passwords and ideally default usernames to be changed during initial setup
- Ensuring password recovery mechanisms are robust and do not supply an attacker with information indicating a valid account
- Ensuring web interface is not susceptible to XSS, SQLi or CSRF
- Ensuring credentials are not exposed in internal or external network traffic
- Ensuring weak passwords are not allowed
- Ensuring account lockout after 3 -5 failed login attempts
Recommendation (1) is much too weak. Customers must be forced to change passwords during initial setup.
Why? In many cases customers are simply not aware of the fact that a device is accessible from the internet. For example, HMI touchscreens are often remote accessible through built-in web services:
This HMI panel is well configured. For access e.g. to the files a login to the system is required.
But the default login password is publicly available from SIMATIC discussion forums and wasn’t changed during set up of the device:
With this, rule (1) above will not prevent any attacks on IIoT devices. Customers must be forced to change passwords as soon as the device network adapter is powered up and connected to the company network or the internet.
Have a good week!