OT Cybersecurity Best Practices for SMBs: Managing Default Passwords and Identifying ICS/OT Devices Exposed to the Internet

This blog details best practices for operational technology (OT) cybersecurity for under-resourced organizations by Dragos OT-CERT (Operational Technology – Cyber Emergency Readiness Team), which provides free resources to help small and medium businesses (SMBs) create or enhance their OT cybersecurity program. This month’s best practice recommendations cover how to address common ways to compromise ICS devices from the Internet.  

Larger Organizations Take Note

If you have been increasing your security posture and reduced risk of a significant cyber attack in your enterprise, including your OT environment, that’s excellent news! However, does your risk assessment include the possibility of a cyber attack on one of your critical suppliers, and the impact that would have on your company’s operations? Could you still produce your product or provide services to your customers? Read on to ensure that you are quantifying the likelihood and impact of that risk correctly in light of the current threat environment. And strengthen your supply chain security risk posture by promoting OT-CERT to your suppliers!

Legal Disclaimer 

OT-CERT resources are intended to provide guidance to help under-resourced organizations, those lacking sufficient financial resources or technical expertise, to establish minimum baseline OT cybersecurity protections and do not necessarily meet the usual best practice standards for a mature OT cybersecurity program. Dragos, Inc. does not provide any warranty or guarantee that following the guidance provided by OT-CERT alone will safeguard an organization from all OT cybersecurity threats.  Whenever possible organizations should seek additional enhancements to the recommendations provided by OT-CERT resources based on an organization’s own cybersecurity risk profile.

The Persistence of Known Weaknesses 

The narrative in cybersecurity often focuses on the rapidly evolving threat landscape. However, recent events, such as the CyberAv3ngers attacks on Unitronics devices, remind us that the real issue often lies in longstanding vulnerabilities within Industrial Control Systems (ICS) and Operational Technology (OT) environments. These weaknesses are not new revelations; they are well-known, yet they persist due to overlooked, indefensible architectures and insecure configurations, especially in under-resourced organizations. This blog addresses two of these common weaknesses. 

• What are common ways to compromise ICS devices from the Internet? A common weakness in ICS/OT environments is exposing devices to the internet without adequate cybersecurity controls. This leaves the devices susceptible to exploitation or damage. The Unitronics incidents are a prime example of how such exposures can be maliciously leveraged. 

• What are overlooked configuration and security best practices in OT environments? Another critical issue is overlooked cybersecurity considerations in the configuration and deployment of ICS/OT devices. A notable example is the failure to change default passwords provided in the out-of-box configuration of devices, creating an easy entry point for attackers. 

Despite being known for decades, these weaknesses are either not recognized by industrial infrastructure organizations or are not adequately addressed during deployment and maintenance. This gap in cybersecurity practices exposes organizations to significant risks. 

Steps for Addressing These ICS/OT Security Issues 

Every organization with an ICS/OT environment should proactively take the following steps to mitigate these security risks. 

Identify and Protect Internet-Exposed Devices 

You can take a few approaches to find and remediate internet exposed devices in your environment.   

1. Use the native tools available on your assets to check the connectivity available. A previous OT-CERT blog shows some easy steps to check this on Microsoft Windows based assets. The concepts identified in that blog carry over fairly easily to Linux-based assets as well.
2. Utilize tools and resources to scan your public IP addresses from the internet. It is important to scan your public IP addresses regularly because it allows you to keep track of what devices, ports, and services you have exposed to the public. Adversaries utilize internet scanning tools to look for and exploit vulnerable devices; therefore you should be aware of your exposure so you can react before your adversary does. Free or inexpensive network scanning resources are available for critical infrastructure organizations, including those from CISA, MS-ISAC, and Shodan. Some of the more advanced options on Shodan require a paid account but you can check public addresses for free by simply typing them into the search field. If you haven’t done so, you should create a list of all the public IP addresses associated with your organization and add them to your asset inventory.
   
   There are a few ways to find your public IP addresses:
   — Check your router and/or firewall configurations.
   — Check with your internet service provider (ISP).
   — Use online services like “whatsmyip.com”.
   — Review any applicable DHCP Server logs.
   — Use native tools like nslookup or ping to query your domain names and see what public IP addresses they resolve to.
   — Check your existing system documentation.
3. Develop and implement a remediation plan. This plan should establish necessary cybersecurity controls while maintaining required functionality and connectivity. You will need to understand and document the required services, information, access, permissions etc. that must be available for your devices, then you can apply the appropriate cybersecurity controls such as firewalls, VPNs, configuration hardening, and vulnerability management procedures to address any identified weaknesses or exposures.
4. Include requirements in your plans and specifications for future projects that stipulate defensible ICS/OT network architectures including all external connections be implemented in a cybersecure manner according to industry recommended practices and make sure to explicitly include cybersecurity testing in your acceptance testing/system commission requirements.
5. Join OT-CERT for more detailed guidance around finding and remediating internet exposed assets within your environment.

Management of Default Passwords and Internal Security 

You can take a few different approaches to identify and manage your assets that might contain default passwords. 

1. Collaborate with vendors and security experts: Utilize your system documentation, device vendor support, and/or consult the ICS/OT cybersecurity research community for insights on what devices include default passwords. In some cases, device vendors do not publish information about default or hardcoded credentials. In that case, you may find that the cybersecurity research community has made that information available.  
2. If you have the host logs and network visibility, you may be able to hunt through your device authentication logs or network data to look for default or clear text credentials. This information can help you to identify the use of weak credentials or default passwords within your environment. 
3. Develop and implement a Remediation Plan: In some cases, you will have the option to change the default password to something that meets your internal password policy. In other cases, you may need to apply a patch or firmware update. Sometimes, it is not technically feasible to remediate the default password, in those cases, you should utilize a compensating cybersecurity control to protect the device. 
4. Include requirements in your plans and specifications for future projects that stipulate default passwords be identified, documented, and addressed. In acceptance testing/system commission specifications, include requirements to verify that default password remediation efforts have been implemented. 
5. Join OT-CERT for more detailed guidance around identifying and remediating assets with default passwords within your environment.

Getting Help 

If these topics resonate with you and you think you or your organization needs additional guidance on tackling these issues, join Dragos OT-CERT.  In the coming months OT-CERT will produce detailed information to help walk you through the process of finding and remediating ICS devices with default passwords that could be exploited remotely over the internet. 

In Conclusion 

The Unitronics incidents are a stark reminder of the importance of addressing foundational security issues in ICS/OT environments. The focus shouldn’t solely be on evolving threats but also on rectifying known vulnerabilities and weaknesses. By taking decisive steps to identify and protect internet-exposed devices, and to manage default passwords and internal security configurations, you can significantly strengthen your defense against a spectrum of cybersecurity threats. OT-CERT strongly recommends this proactive approach to safeguard our critical infrastructure and ensure the resilience of industrial operations in the face of both old and new cyber challenges. 

Stay Up to Date with SMB Cybersecurity Resources: Join Dragos OT-CERT!

Dragos OT-CERT offers FREE resources to help SMBs build their own manufacturing / ICS / OT cybersecurity program without hiring any cybersecurity experts. OT-CERT membership is free and globally available to OT asset owners and operators. Resources are oriented toward small and medium businesses and resource-challenged organizations with OT environments that lack in-house security expertise. Members have access to a growing library of resources such as reports, webinars, training, best practices blogs, assessments, toolkits, tabletop exercises, and more.

Currently available resources include:

• OT Cybersecurity Fundamentals Self-Assessment Survey
• OT Asset Management Toolkit
• Self-Service OT Ransomware Tabletop Exercise Toolkit
• Collection Management Framework for Incident Response
• OT Cybersecurity Incident Response Toolkit
• OT Data Backups Guidance
• Host-Based Logging and Centralized Logging Toolkits
• Secure Remote Access Toolkit
• Access to an introductory ICS/OT cybersecurity module in Dragos Academy

If you haven’t joined Dragos OT-CERT don’t delay! Please join and spread the word to your community and supply chain so we can all work together to raise the security posture of the entire ecosystem – we are only as strong as our weakest link.

We look forward to working with you to safeguard civilization!