Slashdot Mirror

← Back to Stories (view on slashdot.org)

SCADA Hacker: Water District Used 3-Character Password

Posted by samzenpus on from the abc-easy-as-123 dept.

Trailrunner7 writes "In an e-mail interview with Threatpost, a hacker who compromised software used to manage water infrastructure for South Houston, Texas, said the district had HMI (human machine interface) software used to manage water and sewage infrastructure accessible to the Internet and used a password that was just three characters long. The hacker, using the handle 'pr0f' took credit for a remote compromise of supervisory control and data acquisition (SCADA) systems. Communicating from an e-mail address tied to a Romanian domain, the hacker told Threatpost that he discovered the vulnerable system using a scanner that looks for the online fingerprints of SCADA systems. 'This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this,' he wrote in an e-mail."

14 of 213 comments (clear)

  1. Predicting Government Response by itchythebear · · Score: 5, Funny

    A child who knows how the HMI that comes with Simatic works could have accomplished this...

    The obvious course of action to prevent future attacks against SCADA systems is to ban all children. Problem sovled.

    --
    If what I just said sounded like a troll, it was probably just a failed attempt at humor.
  2. How much more proof do we need? by AngryDeuce · · Score: 5, Insightful

    The weak point is always going to be the human being. Pile on as much security as you want and people are going to find ways to disable it and make themselves vulnerable. Thousands of jobs in the tech support industry depend on it.

  3. Effective passwords? by Anonymous Coward · · Score: 5, Funny

    Damn it Jim, im a water guy not a computer expert!

  4. Re:abc by Chris+Mattern · · Score: 5, Funny

    That's the same combination I have on my luggage!

  5. and why... by Lumpy · · Score: 5, Insightful

    Is a FRACKING SCADA system on the internet?

    The Plant manager needs to be fired on the spot. there is ZERO need to have a full connection from a SCADA system to any internet accessable networks.

    An airgap for data is standard operating proceedure for these things. Hell even crap SCADA software like "wonderware" supports a unidirectional ethernet cable and UDB broadcasting of the data stream so that you can airgap it from the administrative computers doing data collection.

    Note: if you don't know what a "unidirectional ethernet cable" is, think standard Cat 5 with the TX wires clipped off on one end http://www.stearns.org/doc/one-way-ethernet-cable.html and YES they do work PC to PC with the right settings or by using a switch where you can force a port on without negotiation.
        No hacker on this planet can crack a system that is at the other end of this type of cable, unless he has physical access.

    --
    Do not look at laser with remaining good eye.
  6. Re:duh by NeumannCons · · Score: 5, Insightful

    H2o. Need at least one uppercase, one lower case and one non-letter.

  7. Re:duh by stoolpigeon · · Score: 5, Funny

    Of course, you are correct.

    --
    It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
  8. Password not the problem by brxndxn · · Score: 5, Interesting

    I'm in this line of work.. The password was not the problem. Even the hacker is thinking like 'corporate IT' would think in terms of security. The plant floor is different.

    Here's the rule: A computer that controls industrial machinery should not be connected to the Internet. The only part of an industrial process that can even possibly be connected to the Internet is historical data and alarming.

    HMI software is typically a set of screens representing the automation parts of a plant process. This means that in order to start/stop a motor or energize a valve, the screen is required. It is insecure to put a password on that screen. Yes.. insecure. The priorities at a plant are different. It is always the most secure to allow control of the plant to the people at the plant. There are physical E-stop buttons on control panels in case of emergency, but the E-stop is not the end all to prevent industrial disasters. For example, if a person has his hand caught in a valve, hitting the E-stop may cause the valve to move. Another example would be an exothermic process where explosive gases could accumulate in the wrong parts of the process, hitting the E-stop may not get rid of the gas. The operator at the plant is in charge of the process - it is critical that he or she always have control over the system.

    Therefore, don't connect your plant floor to the Internet.. unless you want China to be able to control it. If white-collar executive-type people want to see pretty screens, give them historical data.

    --
    --- We need more Ron Paul!
    1. Re:Password not the problem by vlm · · Score: 5, Informative

      Its just engineering malpractice, pure and simple. No different than trying to claim we don't need those OSHA required safety guards because no one would ever do something stupid or malicious in the plant.

      The other way to hook up to the internet, as described to me by a guy who works at a "real" chemical plant where dangerous stuff is done, is you use two separate systems both of which would have to be hacked to cause damage, plus non-SCADA automatic control.

      In this scenario, where they blew the water pump up by power cycling it, there are two series control relays supplying power to the VFD and if EITHER scada system decides there is a problem with the plant or the other SCADA, that scada cuts input power to the VFD until its convinced its OK. Most VFDs like a 0-10 volt DC input to control their output, and its not all that difficult to hard wire a physical time delayed relay that says you need to output more than a volt for more than a minute to close the relay contacts connecting the VFD to the SCADA and start the pump, so the SCADA literally cannot physically turn the pump on and off more often than once per minute. You can also drive the time delayed relay off the other SCADA system, so one system decides to turn on the pump, while the other decides how fast to run the pump, and either can shut down the pump if they feel the need. Most VFDs can be configured to not allow operation outside certain limits, like drawing more than X amps where X is larger than normal but less than theoretical VFD limit, and not to turn on if a thermocouple says its too hot or a pressure gauge somewhere has an open loop signal. Similar design such that NPSH and output pressure have to be within certain limits or again, the time delayed relays open circuit the AC input to the VFDs and/or the control input to the VFDs. Finally its no heroic effort to wire up two safety bypass relays in series so that if you have control of both SCADA systems, and both independent scada systems agree, you can bypass the safety relays (and the enabling of this bypass also turns off a green light inside the safety directors office, resulting in management involvement, formal written reports and investigation, etc)

      This is cheaper to install and operate than you think, because both suppliers know darn well they can be replaced individually with no real impact to plant operations, unlike the traditional "one ring to bind them all" scada design where the consultants and suppliers know they've got you over a barrel and can charge what they want.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  9. Epic Fail & no-win situation by Anonymous Coward · · Score: 5, Interesting

    Network admin for another city govt in Texas here... albeit a very much smaller city.

    1) first of all, it's absolutely nuts to place your water purification SCADA (or even your wastewater plant's SCADA) onto any network segment that's accessible from the public Internet, and we in the IT department know that all too well, however we're not "in charge" of the SCADA systems and have essentially zero authority to do anything about it. Part of the problem here is that the folks who *are* in charge of these systems are thoroughly aware that we in IT know how to better secure their systems, but do not want us involved in any way because our security will "make things too hard for them to do their jobs".

    2) The folks who run the SCADA systems on a daily basis know only two things about systems security: 1) diddly and 2) squat. They are water process and industrial chemistry people, not computer people, and it shows big time.

    3) The vendors who supply and support the SCADA systems feverishly demand that the SCADA systems be easily accessible over the Internet for their convenience for remote support, and frankly do not give a rat's ass about the customers' security... their response is that security is not their problem it's ours.

    So, it's no wonder these systems are getting hacked and it's going to get worse as time progresses.

  10. DHS Response by TheRedSeven · · Score: 5, Insightful
    I first found this incident via Bruce Schneier & Wired.

    The most telling thing, for me, was this section of the linked article:

    “DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield, Illinois,” according to a statement released by DHS spokesman Peter Boogaard. “At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”

    So...in the instance of a single shoe bomber, stopped by his own stupidity and the efforts of other airline passengers, TSA (a section of DHS) responds by calling it a systemic risk to air travel, and we must all take off our shoes. In the instance of a plot to use liquid explosives, which probably wouldn't have worked and was stopped in the planning stages, TSA responds by calling it a systemic risk and we must all limit ourselves to 3oz bottles of liquids that fit in a quart size bag. In the instance of a single underwear bomber, stopped by his own stupidity, TSA responds by calling it a systemic risk to air travel, and we must all be subject to X-ray/millimeter wave scanners and/or the big Grope.

    In the instance of SCADA hacking, which could conceivably harm our infrastructure on a significant and systemic level from afar, with little/no risk of the perpetrators being caught, DHS responds by saying, "No big deal."

    There's something very...wrong here.

  11. Child knows by jones_supa · · Score: 5, Funny

    A child who knows how the HMI that comes with Simatic works could have accomplished this,' he wrote in an e-mail.

    And a child knows too that you shouldn't break into other people's property...

  12. Re:How about passwords that don't have to charged by Dare+nMc · · Score: 5, Informative

    That is annoying, forcing me to change my password at the end of the month from H@cker1 to H@cker2 to H@cker3, and H@cker4 before I can go back to the password I like, but they IT work preventers at my work are really good, so when I am working on the road for 2 weeks, they make sure I can't change my login password without being on the intra-net, and once I am 2 days passed the expire date, the prevent me from launching VPN, joining web meetings... So then I have to use gmail to email a co-worker my passwords so he can change them for me on connected laptop first. Lots of fun.

  13. Re:duh by masternerdguy · · Score: 5, Funny

    3 letter password? I guess not everything's bigger in Texas.

    --
    To offset political mods, replace Flamebait with Insightful.