Slashdot Mirror
SCADA Hacker: Water District Used 3-Character Password
Trailrunner7 writes "In an e-mail interview with Threatpost, a hacker who compromised software used to manage water infrastructure for South Houston, Texas, said the district had HMI (human machine interface) software used to manage water and sewage infrastructure accessible to the Internet and used a password that was just three characters long. The hacker, using the handle 'pr0f' took credit for a remote compromise of supervisory control and data acquisition (SCADA) systems. Communicating from an e-mail address tied to a Romanian domain, the hacker told Threatpost that he discovered the vulnerable system using a scanner that looks for the online fingerprints of SCADA systems. 'This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this,' he wrote in an e-mail."
the upside is if you can't afford your own truck landing robot helicopter, it shouldn't be too hard to steal one. access to truck landing robot helicopters should be an inalienable right.
i bet the password was h2o
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
A child who knows how the HMI that comes with Simatic works could have accomplished this...
The obvious course of action to prevent future attacks against SCADA systems is to ban all children. Problem sovled.
If what I just said sounded like a troll, it was probably just a failed attempt at humor.
The weak point is always going to be the human being. Pile on as much security as you want and people are going to find ways to disable it and make themselves vulnerable. Thousands of jobs in the tech support industry depend on it.
Damn it Jim, im a water guy not a computer expert!
How many children know how Simatic works?
I'm a good cook. I'm a fantastic eater. - Steven Brust
That's the same combination I have on my luggage!
Is a FRACKING SCADA system on the internet?
The Plant manager needs to be fired on the spot. there is ZERO need to have a full connection from a SCADA system to any internet accessable networks.
An airgap for data is standard operating proceedure for these things. Hell even crap SCADA software like "wonderware" supports a unidirectional ethernet cable and UDB broadcasting of the data stream so that you can airgap it from the administrative computers doing data collection.
Note: if you don't know what a "unidirectional ethernet cable" is, think standard Cat 5 with the TX wires clipped off on one end http://www.stearns.org/doc/one-way-ethernet-cable.html and YES they do work PC to PC with the right settings or by using a switch where you can force a port on without negotiation.
No hacker on this planet can crack a system that is at the other end of this type of cable, unless he has physical access.
Do not look at laser with remaining good eye.
H2O
"There is more worth loving than we have strength to love." - Brian Jay Stanley
How about passwords that don't have to charged each 30 days and you can't use the last 4 passwords.
I'm in this line of work.. The password was not the problem. Even the hacker is thinking like 'corporate IT' would think in terms of security. The plant floor is different.
Here's the rule: A computer that controls industrial machinery should not be connected to the Internet. The only part of an industrial process that can even possibly be connected to the Internet is historical data and alarming.
HMI software is typically a set of screens representing the automation parts of a plant process. This means that in order to start/stop a motor or energize a valve, the screen is required. It is insecure to put a password on that screen. Yes.. insecure. The priorities at a plant are different. It is always the most secure to allow control of the plant to the people at the plant. There are physical E-stop buttons on control panels in case of emergency, but the E-stop is not the end all to prevent industrial disasters. For example, if a person has his hand caught in a valve, hitting the E-stop may cause the valve to move. Another example would be an exothermic process where explosive gases could accumulate in the wrong parts of the process, hitting the E-stop may not get rid of the gas. The operator at the plant is in charge of the process - it is critical that he or she always have control over the system.
Therefore, don't connect your plant floor to the Internet.. unless you want China to be able to control it. If white-collar executive-type people want to see pretty screens, give them historical data.
--- We need more Ron Paul!
Weren't we told that this did -not- happen? I distinctly recall seeing a denial from the authorities that any water system was compromised at any time.
Some government sites have these onerous password requirements e.g no fewer than 15 characters, no consecutive characters even if they are a different case, at least one numeric and at least one punctuation. It's not surprising that coming up with something you can remember that fulfills these requirements is a bitch. Oh, and you have to change it periodically. IMHO, this naturally leads to writing the damn thing down somewhere.
Network admin for another city govt in Texas here... albeit a very much smaller city.
1) first of all, it's absolutely nuts to place your water purification SCADA (or even your wastewater plant's SCADA) onto any network segment that's accessible from the public Internet, and we in the IT department know that all too well, however we're not "in charge" of the SCADA systems and have essentially zero authority to do anything about it. Part of the problem here is that the folks who *are* in charge of these systems are thoroughly aware that we in IT know how to better secure their systems, but do not want us involved in any way because our security will "make things too hard for them to do their jobs".
2) The folks who run the SCADA systems on a daily basis know only two things about systems security: 1) diddly and 2) squat. They are water process and industrial chemistry people, not computer people, and it shows big time.
3) The vendors who supply and support the SCADA systems feverishly demand that the SCADA systems be easily accessible over the Internet for their convenience for remote support, and frankly do not give a rat's ass about the customers' security... their response is that security is not their problem it's ours.
So, it's no wonder these systems are getting hacked and it's going to get worse as time progresses.
As usual, blame the owners and operators of the target, not the hacker. Because if I don't lock my front door, it's totally OK for you to come in and run up my utility bill and eat out of my fridge, help yourself to my stereo and tv while you're at it... and if I have a spare key under my hood that you find on my car, by all means, how could anyone be held accountable if they take it for a joy ride and/or steal it?
easy as 123 it's so easy to hack the water system.
The most telling thing, for me, was this section of the linked article:
So...in the instance of a single shoe bomber, stopped by his own stupidity and the efforts of other airline passengers, TSA (a section of DHS) responds by calling it a systemic risk to air travel, and we must all take off our shoes. In the instance of a plot to use liquid explosives, which probably wouldn't have worked and was stopped in the planning stages, TSA responds by calling it a systemic risk and we must all limit ourselves to 3oz bottles of liquids that fit in a quart size bag. In the instance of a single underwear bomber, stopped by his own stupidity, TSA responds by calling it a systemic risk to air travel, and we must all be subject to X-ray/millimeter wave scanners and/or the big Grope.
In the instance of SCADA hacking, which could conceivably harm our infrastructure on a significant and systemic level from afar, with little/no risk of the perpetrators being caught, DHS responds by saying, "No big deal."
There's something very...wrong here.
some PHB who does not want to pay for on site staff say make so the work can be done remotely.
A child who knows how the HMI that comes with Simatic works could have accomplished this,' he wrote in an e-mail.
And a child knows too that you shouldn't break into other people's property...
I'm no security expert, but humor me and point out the flaws in my logic below.
Disabling access after X tries might be enough where the token to uniquely identify access is relatively well-defined, like say your ATM card, and disabling access for that user doesn't de-facto terminate the system (i.e. other ATM users can still use the machine with their credentials after it eats your card).
For admin-access to such systems over the internet it's dangerous to disable the admin account after X tries, because then you lose remote administration functionality of a potentially critical system. "Ah, but you can reset with physical access" you will say - yes, true, but this is a critical system they put *on the internet* in the first place, for better or worse, probably because physical access to that system is pretty difficult for the poor sod designated the "administrator" (disused lavatory, beware of leopard, etc.). Who knows how long the system will be offline for administration until the first opportunity for physical access.
The disabling of (admin) access after X tries also effectively creates a DOS attack against that system. I don't know the login procedure of this particular type of system, but assuming it's username/password, you could DOS the system by spamming all kinds of *usernames* with X repetitions of the wrong password to disable them. Preventing the DOS attack would require hard-to-brute-force usernames - the username becomes the secret, not the password.
It's probably also possible to spoof session identifiers for a hacker to evade repetition detection.
I think the SCADA system can only lose in this kind of scenario, unless they have a password that is very hard to crack within its valid timespan. Or until they finally figure out that putting critical systems online with weak passwords or account disabling is probably not such a good idea.
That is annoying, forcing me to change my password at the end of the month from H@cker1 to H@cker2 to H@cker3, and H@cker4 before I can go back to the password I like, but they IT work preventers at my work are really good, so when I am working on the road for 2 weeks, they make sure I can't change my login password without being on the intra-net, and once I am 2 days passed the expire date, the prevent me from launching VPN, joining web meetings... So then I have to use gmail to email a co-worker my passwords so he can change them for me on connected laptop first. Lots of fun.
Things that need external service technicians often have very simple passwords. For example I work in health care and I know of at least two major companies who's components have the same login for every site for administrator access. You probably as a customer could insist on changing it but the vast majority of sites don't. So need to give someone some radiation? You know the password. That said it isn't going to affect a whole community but the 30-100 patients that get treated before the problem is detected? Very doable. Similarly wifi routers from ISPs almost always have a default password most people I know change the WPA key but don't touch the admin account password. So anyone allowed into the network (or who can plug a network cable into the back of the box for a couple minutes) can take it over pretty easy. Not a real big deal I realize because if they change the password to login (since they don't know yours presumably that is what they would do to get internet access) you'd realize it isn't working and work to set it back. But if you are running a wired network primarily but it is a wifi device could be an issue.
At a larger scale: say your China and you are hacking power plant passwords to be able to shut them off (not blow them up). If the passwords are cycled frequently you likely will always have some passwords you've cracked and some you haven't, but the chances that you'll get a sufficient subset of the passwords cracked so you could completely bring the power grid down in a geographical area is remote.