Update on IIoT Security Basics

27 November 2016

Number One vulnerability on the OWASP IoT Top 10 from 2014 was “Insecure Web Interface”. The OWASP IoT Project makes the suggestions below to mitigate these vulnerabilities:

A secure web interface requires:

  1. Default passwords and ideally default usernames to be changed during initial setup
  2. Ensuring password recovery mechanisms are robust and do not supply an attacker with information indicating a valid account
  3. Ensuring web interface is not susceptible to XSS, SQLi or CSRF
  4. Ensuring credentials are not exposed in internal or external network traffic
  5. Ensuring weak passwords are not allowed
  6. Ensuring account lockout after 3 -5 failed login attempts

Recommendation (1) is much too weak. Customers must be forced to change passwords during initial setup.

Why? In many cases customers are simply not aware of the fact that a device is accessible from the internet. For example, HMI touchscreens are often remote accessible through built-in web services:

SIMATIC HMI Panel

SIMATIC HMI Panel

This HMI panel is well configured. For access e.g. to the files a login to the system is required.

But the default login password is publicly available from SIMATIC discussion forums and wasn’t changed during set up of the device:

SIMATIC HMI Panel File System Browser Details

SIMATIC HMI Panel File System Browser Details

With this, rule (1) above will not prevent any attacks on IIoT devices. Customers must be forced to change passwords as soon as the device network adapter is powered up and connected to the company network or the internet.

Have a good week!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s