Detecting default passwords when connecting to devices
When monitoring the communications of process control devices, Kaspersky Industrial CyberSecurity for Networks can determine when default passwords are used. If a connection is made to a device using a password that is set as the default password for the particular type of device, the application registers the corresponding event. To register default password detection events, the application uses the system event type for the detection of system commands.
Kaspersky Industrial CyberSecurity for Networks detects default passwords in the following cases:
- An attempt to use a default password was successful or the result of that attempt was not determined. In this case, an event is registered for the detection of the DEFAULT PASSWORD ENTRY system command.
- A new password matching the default password is set. In this case, an event is registered for the detection of the DEFAULT PASSWORD SET system command.
- The default password is received when reading the connection account credentials from a device. In this case, an event is registered for the detection of the DEFAULT PASSWORD READ or DEFAULT PASSWORD READ WITH TYPE system command (if the password details indicate its type, which determines the operations that can be performed with the device using this password).
Detection of default passwords is supported for certain types of devices and application-level protocols (see the table below).
Supported devices and protocols with default passwords
Devices | Protocols | System commands |
|---|---|---|
ABB Relion series: RED670, REL670, RET670 | ABB SPA-Bus | DEFAULT PASSWORD ENTRY DEFAULT PASSWORD SET |
BECKHOFF CX series | BECKHOFF ADS/AMS | DEFAULT PASSWORD ENTRY DEFAULT PASSWORD READ DEFAULT PASSWORD SET |
Emerson ControlWave series | Emerson ControlWave Designer | DEFAULT PASSWORD ENTRY |
General Electric Multilin series: B30, C60 | Modbus TCP | DEFAULT PASSWORD ENTRY DEFAULT PASSWORD READ DEFAULT PASSWORD READ WITH TYPE DEFAULT PASSWORD SET |
Mitsubishi System Q E71 | Mitsubishi MELSEC System Q | DEFAULT PASSWORD SET |
Schneider Electric Modicon: M580, M340 | Modbus TCP | DEFAULT PASSWORD READ WITH TYPE |
Siemens SIMATIC S7-200, S7-300, S7-400 | Siemens Industrial Ethernet Siemens S7comm | DEFAULT PASSWORD ENTRY DEFAULT PASSWORD READ |
Siemens SIMATIC S7-1200, S7-1500 | Siemens Industrial Ethernet Siemens S7comm-plus | DEFAULT PASSWORD ENTRY DEFAULT PASSWORD READ DEFAULT PASSWORD SET |
Prosoft-Systems Regul R500, PLC with a runtime system for CODESYS V3 | CODESYS V3 Gateway | DEFAULT PASSWORD ENTRY DEFAULT PASSWORD READ DEFAULT PASSWORD SET |
EKRA 200 series | Modbus TCP for EKRA 200 series devices | DEFAULT PASSWORD READ DEFAULT PASSWORD SET |
EKRA BE2502, BE2704 series | ABB SPA-Bus | DEFAULT PASSWORD ENTRY DEFAULT PASSWORD SET |
To register default password detection events, the following conditions must be met:
- Interaction Control is enabled in monitoring mode and Command Control technology is applied.
- The allow rules table does not contain any rules for Command Control technology that allow system commands with default passwords. For example, the application may automatically create these rules in Interaction Control learning mode. If these rules are present in the allow rules table, you are advised to disable them.
- For the relevant devices, tracking of system commands with default passwords is enabled.
