Open Secrets: How OT Networks are Compromised by Clear Text Passwords

Historically, OT networks utilized proprietary protocols optimized for specific functions. Some of these protocols, such as Modbus, Profibus, and DNP3, have become standard industrial communication protocols. These protocols facilitated communication between various hardware components and software systems, often through wired connections like Ethernet.

Why OT Protocols Fall Behind in Encryption

In OT the primary focus is on ensuring continuous production uptime and OT protocols often lack built-in encryption for several reasons:

• Historical Context: Many OT protocols, like Modbus and DNP3, were developed decades ago when cybersecurity threats were not as prevalent. These protocols were designed for reliability and simplicity in isolated environments, often referred to as "air-gapped" systems, where security was not a primary concern.
• Performance and Latency: OT systems prioritize real-time performance and low latency. Adding encryption can introduce delays and computational overhead, which might disrupt the timing and reliability of critical control processes.
• Compatibility and Interoperability: OT environments often consist of a mix of legacy and modern devices. Implementing encryption across all devices can be challenging due to compatibility issues. Many older devices lack the processing power or capability to support encryption.
• Resource Constraints: Many OT devices, such as sensors and controllers, have limited processing power and memory. These constraints make it difficult to implement and manage encryption effectively.
• Perceived Security: Historically, OT networks were considered secure due to their physical isolation from IT networks and the internet. This perception led to less emphasis on built-in security features like encryption.

The Problem with Passwords

Due to lack of built-in encryption sending passwords in clear text in OT networks poses a significant security risk:

• Interception: Attackers can easily intercept clear text passwords if they have access to the network. This can happen through various means, such as compromised devices, unsecured Wi-Fi networks, or even insider threats.
• Unauthorized Access: Once attackers obtain these passwords, they can gain unauthorized access to critical systems, potentially leading to sabotage, data theft, or operational disruptions.
• Credential Reuse: Many users tend to reuse passwords across multiple systems. If a password from an OT network is compromised, it can be used to access other systems, amplifying the impact of the breach.
• Audit Trails: Clear text password transmission can obscure audit trails, making it difficult to trace back the source of an attack and understand the extent of the compromise

Password sharing and using default and simple passwords are quite common in OT environments. The images below show an HMI panel, where the default username and passwords are baked into the UI.

These passwords can be easily intercepted and re-used for malicious purposes. The diagram below illustrates how a shared password can easily be re-used without any extra checks at the PLC to distinguish a user. 

CVE Examples of Passwords in Clear Text

• CVE-2023-2062 is a vulnerability affecting Mitsubishi Electric Corporation's EtherNet/IP configuration tools, specifically the SW1DNN-EIPCT-BD and SW1DNN-EIPCTFX5-BD. This vulnerability arises from missing password field masking, which allows a remote, unauthenticated attacker to view the password for MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP. This can lead to an authentication bypass, enabling attackers to access these modules via FTP.
• CVE-2022-30312 is a vulnerability affecting Trend Controls Inter-Controller (IC) protocol. This vulnerability allows for the cleartext transmission of sensitive information, including credentials. Specifically, the affected components include the Inter-Controller (IC) protocol (57612/UDP)
• CVE-2021-22763 is a vulnerability affecting Schneider Electric's PowerLogic PM55xx, PowerLogic PM8ECC, PowerLogic EGX100, and PowerLogic EGX300 devices. This vulnerability is due to a weak password recovery mechanism for forgotten passwords (CWE-640). An attacker could exploit this vulnerability to gain administrator-level access to the device.
• CVE-2024-3982 is a vulnerability affecting Hitachi Energy's MicroSCADA X SYS600. This vulnerability allows an attacker with local access to the machine to enable session logging and exploit a session hijacking of an already established session. By default, session logging is not enabled, and only users with administrator rights can enable it
• CVE-2022-29519 is a vulnerability affecting Yokogawa's STARDOM FCN and FCJ Controllers, specifically versions R1.01 to R4.31. This vulnerability involves the cleartext transmission of sensitive information, which could allow an adjacent attacker to intercept network traffic and gain unauthorized access. This could enable the attacker to alter device configuration settings or tamper with device firmware.
• CVE-2022-31204 is a vulnerability affecting Omron's CS series, CJ series, and CP series Programmable Logic Controllers (PLCs). This vulnerability involves the cleartext transmission of passwords used to restrict sensitive engineering operations, such as project/logic uploads and downloads. The passwords are set using the OMRON FINS command "Program Area Protect" and unset using "Program Area Protect Clear," both of which are transmitted in cleartext.

How can swIDch’s OTAC technology help?

swIDch's OTAC (One-Time Authentication Code) technology offers a robust solution for enhancing security in Operational Technology (OT) networks. It replaces static passwords with a dynamic code which is only valid for a few seconds and is one time user only.

This technology is used to protect OT devices such as PLC’s. Even if OTAC is sent over un-encrypted channels it cannot be reused later. The diagram below shows how replacing static passwords with OTAC can mitigate authentication bypass attacks.

• One-Way Dynamic Authentication: OTAC provides a one-way dynamic token authentication process, which means it doesn't require a network connection for authentication. This is particularly useful in OT environments where network connectivity can be unreliable.
• Enhanced Security: By generating a unique, randomized code on-demand, OTAC minimizes the risk of credential interception and unauthorized access.
• User-Friendly: The technology simplifies the authentication process for users, reducing the complexity and potential for errors associated with traditional methods like passwords and OTPs.
• Offline Capability: OTAC can generate authentication codes offline, making it ideal for environments where continuous network connectivity is not guaranteed

Overcoming Security Gaps in OT Systems

The transmission of passwords in clear text over unencrypted channels in OT networks remains a pressing security challenge. While traditional encryption solutions offer robust protection, they are not always feasible in OT environments due to legacy systems, performance constraints, and compatibility issues. This is where innovative technologies like OTAC (One-Time Authentication Code) come into play. OTAC provides a dynamic and secure authentication mechanism that can be transmitted over unsecure channels without compromising security. By adopting OTAC, organizations can significantly enhance the security of their OT networks, ensuring sensitive information remains protected even in the most challenging environments.

--------------------

Author: Vinny Sagar, Solution Architect, swIDch

With over 15 years of experience in pre-sales, consulting and software development in the Identity and Cyber Security space Vinny has helped many clients across various industries and regions to design and deploy Zero Trust solutions that meet their specific needs and challenges.