Russian Industrial Controls Systems Supervisory Control and Data Acquisition (ICS/SCADA) researchers posted a list of industrial products that ship with default passwords in an effort to urge vendors to implement better security controls, a move some feel could cause more harm than good.
Jonathan Sander, vice president of product strategy at Lieberman Software told SCMagazine.com that “anyone finding themselves at risk for having default passwords needs to look in the mirror” because some of the fault falls on the IT professional who didn't change the credentials after purchasing the systems.
Sander said the product list and password dump may cause some companies to take inventory and secure vulnerable systems but added it also created new and unnecessary risks to the companies because it exposes them while they try to identify whether or not their systems are protected by a weak password.
“You may not know the name of the vendor for your SCADA stuff because you're buying them in bulk,” Sander said.The researchers point with this exercise was to change the mindset of vendors that use simple and default passwords in industrial systems, instead of requiring users to change these items on first login, use complex passwords, according to InformationWeek,.
The list has been dubbed the “SCADAPass” and contains default credentials for more than 100 products including web servers from vendors such as Allen-Bradley, Schneider Electric, and Siemens.