The update cites additional activity observed by ICS-CERT related to the threat of internet-accessible control system devices.
"ICS-CERT has recently become aware of multiple systems with default usernames and passwords that are accessible via the internet. These systems have not been configured securely with common best practices such as being placed behind a firewall or changing documented default credentials”, the security update said.
The systems include the Echelon i.LON product – deployed in motors, pumps, valves, sensors and other control devices – which contains a default username and password.
“This is not an inherent vulnerability, but left unchanged, poses a security risk, especially when configured as internet accessible. The default username and password should be removed and replaced with a strong username and password configuration, especially when the device is internet accessible”, ICS-CERT advised.
In addition, ICS-CERT warned that certain industrial control systems have weak authentication mechanisms, which are often difficult to fix because passwords often cannot be changed by the user to protect the system. These products include ClearSCADA, Siemens Simatic HMI, and RuggedCom.
“ICS-CERT recommends that organizations audit their control systems and apply patches, and follow vendor-recommended security postures and settings”, the advisory said.
Commenting on the latest advisory, Reid Wightman with Digital Bond said that most systems require users to set a new password during installation. “I find it odd that setting up a server to host, say, a social networking/new media site is inherently more secure than setting up a controller for potentially critical infrastructure”, he wrote on a blog.
ICS-CERT first issued an advisory about the vulnerability of internet-facing industry control systems in 2010. Then it warned about the danger posed by the SHODAN public search engine, which could locate industry control systems just by doing a web search.