Daktronics Issues Response to ICS-CERT Vanguard(R) Default Credentials Alert

Recently, a small number of North Carolina Department of Transportation Daktronics

Vanguard^® dynamic message signs were compromised. As a result, on June 5, 2014, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a division of the U.S. Department of Homeland Security, issued alert ICS-ALERT-14-155-01A referencing a hardcoded password in the Vanguard controller as the primary cause. The ICS-CERT later clarified the alert on Friday, June 6, 2014, stating the password is not hardcoded but is a default password that display owners should change upon installation. ICS-CERT also communicated mitigation recommendations (reprinted below) within the alert.    While the recommendations provided by the ICS-CERT are commonly known as best practices for all display network owners, the alert itself is only applicable to transportation agencies using variable or dynamic message signs. United States transportation system device standards require manufacturers of variable or dynamic message signs to meet unique specifications that are not applicable to other Daktronics products and control systems.  We appreciate our customers' continued trust in Daktronics and look forward to discussing any questions or concerns they may have regarding their Daktronics display.  ICS-ALERT-14-155-01A MITIGATION --------- Begin Update A Part 2 of 2 -------- ICS-CERT is currently coordinating with the Daktronics and the Federal Highway Administration to identify mitigations. Daktronics and the Federal Highway Administration recommend the following: * Displays should not be on publicly accessible IP addresses.  Placing a display on a private network or VPN helps mitigate the lack of security, * Disable the telnet, webpage, and web LCD interfaces when not needed, and * Change the default password to a strong password as soon as possible on all installed devices. --------- End Update A Part 2 of 2---------- ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities.  Specifically, users should: * Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. (ICS-CERT ALERT, http://ics-cert.us-cert.gov/alerts/ICS-ALERT-10-301-01) * Locate system networks and devices behind firewalls, and isolate them from the business network. * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.