Detecting default passwords when connecting to devices

When monitoring the communications of process control devices, Kaspersky Industrial CyberSecurity for Networks can determine when default passwords are used. If a connection is made to a device using a password that is set as the default password for the particular type of device, the application registers the corresponding event. To register default password detection events, the application uses the system event type for the detection of system commands.

Kaspersky Industrial CyberSecurity for Networks detects default passwords in the following cases:

An attempt to use a default password was successful or the result of that attempt was not determined. In this case, an event is registered for the detection of the DEFAULT PASSWORD ENTRY system command.
A new password matching the default password is set. In this case, an event is registered for the detection of the DEFAULT PASSWORD SET system command.
The default password is received when reading the connection account credentials from a device. In this case, an event is registered for the detection of the DEFAULT PASSWORD READ or DEFAULT PASSWORD READ WITH TYPE system command (if the password details indicate its type, which determines the operations that can be performed with the device using this password).

Detection of default passwords is supported for certain types of devices and application-level protocols (see the table below).

Supported devices and protocols with default passwords

Devices	Protocols	System commands
ABB Relion series: RED670, REL670, RET670	ABB SPA-Bus	DEFAULT PASSWORD ENTRY DEFAULT PASSWORD SET
BECKHOFF CX series	BECKHOFF ADS/AMS	DEFAULT PASSWORD ENTRY DEFAULT PASSWORD READ DEFAULT PASSWORD SET
Emerson ControlWave series	Emerson ControlWave Designer	DEFAULT PASSWORD ENTRY
General Electric MULTILIN series: B30, C60	Modbus TCP	DEFAULT PASSWORD ENTRY DEFAULT PASSWORD READ DEFAULT PASSWORD READ WITH TYPE DEFAULT PASSWORD SET
Mitsubishi System Q E71	Mitsubishi MELSEC System Q	DEFAULT PASSWORD SET
Schneider Electric Modicon: M580, M340	Modbus TCP	DEFAULT PASSWORD READ WITH TYPE
Siemens SIMATIC S7-200, S7-300, S7-400	Siemens Industrial Ethernet Siemens S7comm	DEFAULT PASSWORD ENTRY DEFAULT PASSWORD READ
Siemens SIMATIC S7-1200, S7-1500	Siemens Industrial Ethernet Siemens S7comm-plus	DEFAULT PASSWORD ENTRY DEFAULT PASSWORD READ DEFAULT PASSWORD SET
Prosoft-Systems Regul R500, PLC with a runtime system for CODESYS V3	CODESYS V3 Gateway	DEFAULT PASSWORD ENTRY DEFAULT PASSWORD READ DEFAULT PASSWORD SET
EKRA 200 series	Modbus TCP for devices of Ekra 200 series	DEFAULT PASSWORD READ DEFAULT PASSWORD SET
EKRA BE2502, BE2704 series	ABB SPA-Bus	DEFAULT PASSWORD ENTRY DEFAULT PASSWORD SET

To register default password detection events, the following conditions must be met:

Network Control is enabled in monitoring mode and Command Control technology is applied.
The table of Network Control rules does not contain any rules for Command Control technology that allow system commands with default passwords. For example, such rules may be automatically created in Network Control learning mode. If the table of Network Control rules contains rules that allow system commands with default passwords, it is recommended to switch these rules to inactive state.
For the relevant assets, tracking of system commands with default passwords is enabled.

Page top