Thousands of SCADA Devices Discovered On the Open Internet

Trailrunner7 writes with news of the continuing poor state of security for industrial control systems. From the article: "Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget. That's mostly what comprises the arsenal of two critical infrastructure protection specialists who have spent close to nine months trying to paint a picture of the number of Internet-facing devices linked to critical infrastructure in the United States. It's not a pretty picture. The duo ... have with some help from the Department of Homeland Security (PDF) pared down an initial list of 500,000 devices to 7,200, many of which contain online login interfaces with little more than a default password standing between an attacker and potential havoc. DHS has done outreach to the affected asset owners, yet these tides turn slowly and progress has been slow in remedying many of those weaknesses. ...The pair found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums."

Re:Security by stupidity?

[clm1970]

Part of the problem is the engineers designing them. They don't understand the sandbox they're playing in. It isn't in their culture and they don't know that they should secure them much less how to. I'm starting to see organizations hire product security engineers now to try and institute this stuff into the products but they seem way behind the curve IMHO.

Not a surprise.

I have worked for a large world wide organisation where SCADA and similar on-line systems are very prominent. After raising concerns and asking ports to be locked down or default passords to be changed, there was a lot of departmental fighting over who's responsibility and usually after the battle royal of e-mails everyone would forget until the issue was brought up again.

Too much of a not broke don't fix attitude in smaller companies and bureaucracy in larger companies over responsibility.

Give them a kick up the ass

[viperidaenz]

Pay a couple more people to go through the list regularly and poke around, turn things on and off. Make it hotter on cold days and colder on hot days. Take pictures of cars running green lights, shut down all but one elevator, etc...

Just being mindful not to hurt anyone.

It'll soon be cheaper to fix the problem than to waste resources cleaning up the mess.

Re:Security by stupidity?

[some+old+guy]

As a SCADA/Integration guy, I can say that most controls engineers cringe at the thought of their networks being open to the internet. It's usually managers and bean counters who demand real-time global data reporting who drive this lunacy. It's not as simple as it appears.