SCADA Hacker: Water District Used 3-Character Password

Trailrunner7 writes "In an e-mail interview with Threatpost, a hacker who compromised software used to manage water infrastructure for South Houston, Texas, said the district had HMI (human machine interface) software used to manage water and sewage infrastructure accessible to the Internet and used a password that was just three characters long. The hacker, using the handle 'pr0f' took credit for a remote compromise of supervisory control and data acquisition (SCADA) systems. Communicating from an e-mail address tied to a Romanian domain, the hacker told Threatpost that he discovered the vulnerable system using a scanner that looks for the online fingerprints of SCADA systems. 'This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this,' he wrote in an e-mail."

How much more proof do we need?

[AngryDeuce]

The weak point is always going to be the human being. Pile on as much security as you want and people are going to find ways to disable it and make themselves vulnerable. Thousands of jobs in the tech support industry depend on it.

and why...

[Lumpy]

Is a FRACKING SCADA system on the internet?

The Plant manager needs to be fired on the spot. there is ZERO need to have a full connection from a SCADA system to any internet accessable networks.

An airgap for data is standard operating proceedure for these things. Hell even crap SCADA software like "wonderware" supports a unidirectional ethernet cable and UDB broadcasting of the data stream so that you can airgap it from the administrative computers doing data collection.

Note: if you don't know what a "unidirectional ethernet cable" is, think standard Cat 5 with the TX wires clipped off on one end http://www.stearns.org/doc/one-way-ethernet-cable.html and YES they do work PC to PC with the right settings or by using a switch where you can force a port on without negotiation.
    No hacker on this planet can crack a system that is at the other end of this type of cable, unless he has physical access.

Re:and why...

[Crudely_Indecent]

Understanding what the term means is completely different from understanding how it is accomplished.

I've been building and maintaining networks for over a decade and have never even considered a uni-directional connection before I read this today. Of course, the systems I'm familiar with are specifically for internet access, so bi-directional communication and firewalls had become my norm.

Thanks for the education Lumpy!

Re:and why...

[Nidi62]

Is a FRACKING SCADA system on the internet?

The Plant manager needs to be fired on the spot. there is ZERO need to have a full connection from a SCADA system to any internet accessable networks.

But how else is the plant manager or a supervisor going to get to read his favorite blogs and news sites, or see that email with the newest picture of a cute kitten doing something funny?

Re:duh

[NeumannCons]

H2o. Need at least one uppercase, one lower case and one non-letter.

Re:Effective passwords?

[bill_mcgonigle]

Yeah, thar's yer problem. Just because these things are second nature to us, doesn't mean that non-experts are any good at making these decisions.

I'd like to see the investigation focus on who approved putting a SCADA system directly on the Internet, why, and then see structural changes to ensure that that sort of person can't make those sorts of decisions anymore.

Yeah, all SCADA systems should use ssh-quality authentication, but in the meantime we have millions of units deployed that need to be secured.

Hey, maybe I should market the pfSense firewalls I sell as SCADA secure access controllers... :P

Re:duh

That comic is retarded and I don't know why people quote it

Re:duh

[rubycodez]

Except Randall Munroe underestimated how good that is. If there are 6000 "common words", then a four word password is out of 6000 * 5999 * 5998 * 5997 = 1.3 * 10^15 combinations. That's more than 50 bits of entropy (2^50 = 1.1 * 10^15), his time to guess should be multiplied by 2^6, or 35,000 years by his 1000 guesses a second (and no login will allow that many, multipy by a thousan more for 35 million years!)

Re:duh

[Runaway1956]

The comic probably does look retarded, to someone who doesn't grasp the concept. You better go now, I can hear the short bus honking for you!

DHS Response

[TheRedSeven]

I first found this incident via Bruce Schneier & Wired.

The most telling thing, for me, was this section of the linked article:

“DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield, Illinois,” according to a statement released by DHS spokesman Peter Boogaard. “At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”

So...in the instance of a single shoe bomber, stopped by his own stupidity and the efforts of other airline passengers, TSA (a section of DHS) responds by calling it a systemic risk to air travel, and we must all take off our shoes. In the instance of a plot to use liquid explosives, which probably wouldn't have worked and was stopped in the planning stages, TSA responds by calling it a systemic risk and we must all limit ourselves to 3oz bottles of liquids that fit in a quart size bag. In the instance of a single underwear bomber, stopped by his own stupidity, TSA responds by calling it a systemic risk to air travel, and we must all be subject to X-ray/millimeter wave scanners and/or the big Grope.

In the instance of SCADA hacking, which could conceivably harm our infrastructure on a significant and systemic level from afar, with little/no risk of the perpetrators being caught, DHS responds by saying, "No big deal."

There's something very...wrong here.