Threatpost on a new critical infrastructure exploit discovered by security researchers whereby the human-machine interface for RLE International GmbH wind turbines stores passwords in plaintext, an obvious no-no:
Researcher Maxim Rupp discovered the vulnerability in the Nova-Wind Turbine HMI and reported it to the vendor. However, the vendor has been unresponsive and ICS-CERT issued an advisory about the vulnerability in order to warn users.
The vulnerability results from the fact that the software stores user credentials in plaintext, making the turbines attractive targets for attackers. If an attacker gains access to the credentials, he would be able to perform any action he chose on the device.
“Independent researcher Maxim Rupp has identified an unsecure credential vulnerability in the RLE International GmbH Nova-Wind Turbine HMI. RLE has been unresponsive in validating or addressing the alleged vulnerability. ICS-CERT is releasing this advisory to warn and protect critical asset owners of this serious issue,” the advisory says.
If you are a vendor, ignoring a security problem like this is not going to make it go away. In the current security climate, such a strategy will likely backfire, with more light being shed on the issue and additional scrutiny on your products.
Acknowledge the problem, discuss a plan of action to address the security vulnerability, and get to work on issuing a patch to close the exploit. This is not rocket science.