Thousands of SCADA Devices Discovered On the Open Internet 141
Trailrunner7 writes with news of the continuing poor state of security for industrial control systems. From the article: "Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget. That's mostly what comprises the arsenal of two critical infrastructure protection specialists who have spent close to nine months trying to paint a picture of the number of Internet-facing devices linked to critical infrastructure in the United States. It's not a pretty picture. The duo ... have with some help from the Department of Homeland Security (PDF) pared down an initial list of 500,000 devices to 7,200, many of which contain online login interfaces with little more than a default password standing between an attacker and potential havoc. DHS has done outreach to the affected asset owners, yet these tides turn slowly and progress has been slow in remedying many of those weaknesses. ...The pair found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums."
Re:Security by stupidity? (Score:4, Interesting)
There are a LOT of idiots out there who do installations.
At one place I worked, contractors went into a remote office to install a phone system and ended up wiring a Win2003 server directly to the Internet (and the internal network) so that they could log into it to make changes to the phone system.
Re:Security by stupidity? (Score:5, Interesting)
Two factors have caused this - one, the assumption that those with the knowledge to cause havok have better things to do with their time, and two, the assumption by manufacturers that factory floor equipment will be physically seperated from the public (and by implication, the Internet).
All the changes that have resulted in this situation or probably very recent (10 years), and are in situations where legacy networks and equipment have been bolstered by or re-connected with new stuff by young IT-types, not engineers, who probably had no idea all the industrial stuff wasn't secured!
Re:Security by stupidity? (Score:4, Interesting)
Can someone PLEASE post the links to all the red light cameras (down here they're also fucking speed cameras useful for nothing better than revenue generation which has essentially be admitted to by city)....
I'd love to be able to *ahem*....access those.
Give them a kick up the ass (Score:5, Interesting)
Pay a couple more people to go through the list regularly and poke around, turn things on and off. Make it hotter on cold days and colder on hot days. Take pictures of cars running green lights, shut down all but one elevator, etc...
Just being mindful not to hurt anyone.
It'll soon be cheaper to fix the problem than to waste resources cleaning up the mess.
Re:Security by stupidity? (Score:5, Interesting)
I saw a gas station and one of the pumps there was in "maintenance mode" or something. Anyway, it wasn't working and on a little LCD display on its body there was an IP address. It wasn't a private IP so I noted it down and when I got to work I tried accessing it through HTTP. Well, what do you think? A nice web-based username+password interface popped up.
Now I ain't a hacker and I really didn't try anything, but I'm sure a skilled security professional would have hacked right through that interface. It's really amazing how many poorly secured interesting devices are out there.
Re:Security by stupidity? (Score:4, Interesting)
Don't blame me, I'm just the guy that wrote the specification and the software.
- Management told me to remove security. Too much effort (what's a linter? Stop using it. Shorter passwords. Private network? Can't we just use a cable modem? "Fuzzing" ? Takes too long... turn it off)
- Management told me to remove encryption. Too hard to read and debug over-the-wire for the field tech, who might have to run a program and click a button to decode traffic. Or worse, move a jumper to "debug".
- Management had me source the cheapest possible components, and try to use software to recover from their faster and bizarre failures.
- Management had me install DHCP support into the SCADA devices, so it could be hooked onto the easiest possible network.
- Management had me unlock the cellular modem so it would connect to any tower.
- Management had me use public DNS in my SCADA system, because running our own would have cost an afternoon.
- Management had me write a 4 digit backdoor PIN into all hardware, that could not be turned off.
- Management had me specify, design, and write a remote firmware flash interface supporting and utilizing most of the above.
- Management had me write a remote reverse serial console proxy available by pointing your web browser at the right URL.
- Management had me use public rdate servers rather than pay for an accurate internal clock.
Look, I'm just a software engineer. I know a bit of hardware. I let people know when things are dangerous. I quote them times and estimates and costs.
I quote them expected failure rates.
They settle on the cheapest most disease-ridden stray cat they can find starving in a ditch and sell it as a liger. And your engineers somehow buy it.
Look, I may not know everything about securing them -- but most of these problems aren't caused by inept engineers, they're caused by management and sales cutting corners to buy their third porsche.
I'd *LOVE* to see a reverse bounty program. Sell the management induced bugs in your software to a company client for legal protection against lawsuit, and five years of contractual consulting rates to clean it up.
I found an L55 on the internet once (Score:5, Interesting)
From the program in it, I guess it was a demo, not running anything.
I found it completely by accident by searching for the part number of one of the modules that happened to be in the chassis with the controller and the ethernet bridge. The ethernet bridge has its own web page which automatically displays the contents of the chassis, with links to the modules.
I added a controller-scoped tag to it called "ICanSeeYouFromTheInternet", and a tag description of "Please put your ENBT on a private network"
A couple days later it was gone.
Re:Security by stupidity? (Score:2, Interesting)
Railroads commonly control switch points with DTMF tones over open radio channels.
This is widely known and a dreadful safety issue but no one talks about it.
Re:Security by stupidity? (Score:5, Interesting)
As a SCADA/Integration guy, I can say that most controls engineers cringe at the thought of their networks being open to the internet. It's usually managers and bean counters who demand real-time global data reporting who drive this lunacy. It's not as simple as it appears.