SCADA Hacker: Water District Used 3-Character Password 213
Trailrunner7 writes "In an e-mail interview with Threatpost, a hacker who compromised software used to manage water infrastructure for South Houston, Texas, said the district had HMI (human machine interface) software used to manage water and sewage infrastructure accessible to the Internet and used a password that was just three characters long. The hacker, using the handle 'pr0f' took credit for a remote compromise of supervisory control and data acquisition (SCADA) systems. Communicating from an e-mail address tied to a Romanian domain, the hacker told Threatpost that he discovered the vulnerable system using a scanner that looks for the online fingerprints of SCADA systems. 'This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this,' he wrote in an e-mail."
Re:Predicting Government Response (Score:2, Informative)
Credit where credit was due: It was a Siemens system, of Stuxnet fame. Great for launching false-flag attacks to drum up support against "terrorists" and our civil rights.
-- Ethanol-fueled
Re:Password not the problem (Score:5, Informative)
Its just engineering malpractice, pure and simple. No different than trying to claim we don't need those OSHA required safety guards because no one would ever do something stupid or malicious in the plant.
The other way to hook up to the internet, as described to me by a guy who works at a "real" chemical plant where dangerous stuff is done, is you use two separate systems both of which would have to be hacked to cause damage, plus non-SCADA automatic control.
In this scenario, where they blew the water pump up by power cycling it, there are two series control relays supplying power to the VFD and if EITHER scada system decides there is a problem with the plant or the other SCADA, that scada cuts input power to the VFD until its convinced its OK. Most VFDs like a 0-10 volt DC input to control their output, and its not all that difficult to hard wire a physical time delayed relay that says you need to output more than a volt for more than a minute to close the relay contacts connecting the VFD to the SCADA and start the pump, so the SCADA literally cannot physically turn the pump on and off more often than once per minute. You can also drive the time delayed relay off the other SCADA system, so one system decides to turn on the pump, while the other decides how fast to run the pump, and either can shut down the pump if they feel the need. Most VFDs can be configured to not allow operation outside certain limits, like drawing more than X amps where X is larger than normal but less than theoretical VFD limit, and not to turn on if a thermocouple says its too hot or a pressure gauge somewhere has an open loop signal. Similar design such that NPSH and output pressure have to be within certain limits or again, the time delayed relays open circuit the AC input to the VFDs and/or the control input to the VFDs. Finally its no heroic effort to wire up two safety bypass relays in series so that if you have control of both SCADA systems, and both independent scada systems agree, you can bypass the safety relays (and the enabling of this bypass also turns off a green light inside the safety directors office, resulting in management involvement, formal written reports and investigation, etc)
This is cheaper to install and operate than you think, because both suppliers know darn well they can be replaced individually with no real impact to plant operations, unlike the traditional "one ring to bind them all" scada design where the consultants and suppliers know they've got you over a barrel and can charge what they want.
Re:How about passwords that don't have to charged (Score:5, Informative)
That is annoying, forcing me to change my password at the end of the month from H@cker1 to H@cker2 to H@cker3, and H@cker4 before I can go back to the password I like, but they IT work preventers at my work are really good, so when I am working on the road for 2 weeks, they make sure I can't change my login password without being on the intra-net, and once I am 2 days passed the expire date, the prevent me from launching VPN, joining web meetings... So then I have to use gmail to email a co-worker my passwords so he can change them for me on connected laptop first. Lots of fun.
Re:and why... (Score:3, Informative)
I was referring to the person who had something constructive and informative to say.
Simply cutting the TX pair won't do the trick, there are many more configurations necessary for the network to accept this type of connection. Negotiation is a process where two end points determine the capabilities of the other end and "negotiate" a connection. Without bi-directional communication, you must configure the transmitting end with static values, then inform the receiving end what those values are. Simply cutting wires won't work. The work involved takes more than a pair of side cutters.
"Lumpy" isn't a nickname I gave to you, it is the name of the person who originally suggested the uni-directional cable method. I was not referring to you.