Slashdot Mirror

← Back to Stories (view on slashdot.org)

SCADA Hacker: Water District Used 3-Character Password

Posted by samzenpus on from the abc-easy-as-123 dept.

Trailrunner7 writes "In an e-mail interview with Threatpost, a hacker who compromised software used to manage water infrastructure for South Houston, Texas, said the district had HMI (human machine interface) software used to manage water and sewage infrastructure accessible to the Internet and used a password that was just three characters long. The hacker, using the handle 'pr0f' took credit for a remote compromise of supervisory control and data acquisition (SCADA) systems. Communicating from an e-mail address tied to a Romanian domain, the hacker told Threatpost that he discovered the vulnerable system using a scanner that looks for the online fingerprints of SCADA systems. 'This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this,' he wrote in an e-mail."

6 of 213 comments (clear)

  1. How about passwords that don't have to charged 30 by Joe_Dragon · · Score: 4, Interesting

    How about passwords that don't have to charged each 30 days and you can't use the last 4 passwords.

  2. Password not the problem by brxndxn · · Score: 5, Interesting

    I'm in this line of work.. The password was not the problem. Even the hacker is thinking like 'corporate IT' would think in terms of security. The plant floor is different.

    Here's the rule: A computer that controls industrial machinery should not be connected to the Internet. The only part of an industrial process that can even possibly be connected to the Internet is historical data and alarming.

    HMI software is typically a set of screens representing the automation parts of a plant process. This means that in order to start/stop a motor or energize a valve, the screen is required. It is insecure to put a password on that screen. Yes.. insecure. The priorities at a plant are different. It is always the most secure to allow control of the plant to the people at the plant. There are physical E-stop buttons on control panels in case of emergency, but the E-stop is not the end all to prevent industrial disasters. For example, if a person has his hand caught in a valve, hitting the E-stop may cause the valve to move. Another example would be an exothermic process where explosive gases could accumulate in the wrong parts of the process, hitting the E-stop may not get rid of the gas. The operator at the plant is in charge of the process - it is critical that he or she always have control over the system.

    Therefore, don't connect your plant floor to the Internet.. unless you want China to be able to control it. If white-collar executive-type people want to see pretty screens, give them historical data.

    --
    --- We need more Ron Paul!
    1. Re:Password not the problem by vlm · · Score: 4, Interesting

      And a guy I know at another plant described "adversarial SCADA" to me where two separate systems from two separate mfgrs and two separate consultants, one run by an "operator" and reporting up the operations management chain all the way to the board, and another run by "safety" and reporting up the safety management chain all the way up to the board.

      The operations guy and his SCADA system do whatever they want whenever they want, but if the safety guy and his SCADA detect an overspeed or an overtemp or underpressure then safety guy and his scada cuts power to the operations guy and his scada. Also operations guy can "get even" with safety guy because he has relays installed that can simulate sensor failure, and the safety guy has to respond within X minutes following whatever procedures, and the operations guy is presumably intelligent enough to only perform those tests when operationally convenient.

      Also although technically either the safety guy OR the operations guy can punch the "give up" buttons, because the safety guy does not answer to the bean counters, that means the dump tank and suppression buttons are for all intents and purposes exclusively operated by the safety guy... The operations guys have training issues in not bothering to even know how to operate the fire suppression valves, for example. Which is bad, because the centers are geographically separate, so if a tornado wiped out the safety center, or even just a failure or a hack event took it out, the ops guys might literally not know how to put out a fire at the plant, even though they are technically capable.

      This is a fail when weird plant conditions require jury rigging and close coordination, and also a financial failure because the independent supplier of the operations scada knows the plant shuts down if they try to change out, so he's free to charge as much as he pleases.

      Hack our safety scada yesterday? who cares, ops will safe the plant. Hack our ops today? who cares, safety will safe the plant. Hack both separate systems with separate designs and separate manufactures tomorrow at the same time? who cares, that has to be an inside job...

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  3. By contrast... by RogueWarrior65 · · Score: 4, Interesting

    Some government sites have these onerous password requirements e.g no fewer than 15 characters, no consecutive characters even if they are a different case, at least one numeric and at least one punctuation. It's not surprising that coming up with something you can remember that fulfills these requirements is a bitch. Oh, and you have to change it periodically. IMHO, this naturally leads to writing the damn thing down somewhere.

  4. Epic Fail & no-win situation by Anonymous Coward · · Score: 5, Interesting

    Network admin for another city govt in Texas here... albeit a very much smaller city.

    1) first of all, it's absolutely nuts to place your water purification SCADA (or even your wastewater plant's SCADA) onto any network segment that's accessible from the public Internet, and we in the IT department know that all too well, however we're not "in charge" of the SCADA systems and have essentially zero authority to do anything about it. Part of the problem here is that the folks who *are* in charge of these systems are thoroughly aware that we in IT know how to better secure their systems, but do not want us involved in any way because our security will "make things too hard for them to do their jobs".

    2) The folks who run the SCADA systems on a daily basis know only two things about systems security: 1) diddly and 2) squat. They are water process and industrial chemistry people, not computer people, and it shows big time.

    3) The vendors who supply and support the SCADA systems feverishly demand that the SCADA systems be easily accessible over the Internet for their convenience for remote support, and frankly do not give a rat's ass about the customers' security... their response is that security is not their problem it's ours.

    So, it's no wonder these systems are getting hacked and it's going to get worse as time progresses.

  5. Re:Predicting Government Response by bmo · · Score: 4, Interesting

    You think this is funny, eh?

    Richard Feynman had a story about how his hobby was safe cracking. He cracked a cabinet that had a combination lock on it and then told the people who mattered the security hole. Did they upgrade the security on the cabinet? No, they banned him from the room. Problem solved.

    --
    BMO