ICS-CERT, the US body responsible for the security of industrial control systems, has warnedPDF of a tool that can be used to crack passwords for programmable logic controllers (PLCs). The Python script has been developed by security experts Alexander Timorin and Dmitry Sklyarov, both members of the SCADA StrangeLove research group.

The tool uses a brute force attack to crack passwords for Siemens SIMATIC S7 programmable logic controllers. It does not, however, try out the passwords on the controller itself; instead it does so offline using recorded network traffic containing authentication events.

On the S7 PLC, authentication is carried out using a challenge-response procedure. The first party sends a random number – the challenge. The other party then appends its password hash to it. The result is again hashed and then sent back to the first party as a response. The first party then does exactly the same with the expected password. It the result agrees with the response received, authentication is successful.

The script extracts the challenge and response from recorded network traffic. It then tries out password after password until hashing produces the recovered response. If a match is found, the attacker now has the password in plain text format. Because cracking a password requires a recording of network traffic, the attacker first has to obtain access to the network.

ICS-CERT states that the report describing the Python script was published without informing either it or the manufacturer of the affected industrial control systems. It also notes that the code could be adapted for systems from other manufacturers.

ICS-CERT gives the usual advice for reducing the risk of attack – control systems should not be accessible via the internet, they should be protected behind a firewall and should be isolated from company networks. Remote access should require a secure method such as VPN. In reality, however, the situation is often quite different.