GeoSCADA Password Expiration

SCADAPro52 · ‎2022-04-16

With the increased emphasis on logon security post Colonial Pipeline, we upgraded the password requirements, reset interval and incorrect logon attempt lockouts. However, we have noticed that GeoSCADA does not provide any indication of logon attempts remaining or a notification to the user that the account has been locked. This is a deficiency that needs to be corrected immediately. Additionally, we have found that on occasion when the password expiration notice is displayed, if the user chooses to ignore the reminder and not immediately reset the password, the notice does not reappear on their next login. This can cause the password to expire without the user being aware.

Any idea how/when this can be corrected?

45+ years in SCADA & ICS and still learning every day!

BevanWeiss · ‎2022-04-17

I can see security issues with both advertising the cause for user login failure and for advertising the number of attempts remaining.

I'm unaware of any mainstream login system that does this (i.e. Windows / POSIX / etc). Which suggests that it's not a good idea to do this, so I don't see it being something Schneider should implement, let alone prioritise to be 'immediately'.

If you want such, then you could implement this within an LDAP authentication backend (with alerts issued out of channel), using OpenLDAP or any other preferred LDAP provider.

All of the main Geo SCADA Expert users I'm aware of leverage Windows Authentication for the credentials, so GeoSCADA itself isn't actually responsible for this aspect of user security management.

Lead Control Systems Engineer for Alliance Automation (VIC).
All opinions are my own and do not represent the opinions or policies of my employer, or of my cat..

sbeadle · ‎2022-04-18

@BevanWeiss is correct about the login failure message. Secure practice dictates that no other information other than login failure can be given, otherwise an attacker can use that information.

As for "if the user chooses to ignore the reminder and not immediately reset the password, the notice does not reappear on their next login." - does it not appear in the message window?