Poor Passwords, Weak Software Make SCADA Systems Vulnerable to Attack

While putting industrial systems on the Internet may make it easier to manage and monitor them remotely, they are also exposing critical infrastructure to cyber-attacks.

Security professionals have been sounding the alarm about protecting critical infrastructure from cyber-attackers for a while, and recent incidents show that attacks are very likely.

Shortly after reports emerged of cyber-attackers breaching a city water utility network in Springfield, Ill., and damaging a water pump, another hacker, going by the name "pr0f" targeted a city water utility in South Houston, Texas, to show how easy it was to compromise the industrial-control systems at these facilities. He posted screenshots purported to be taken after breaching the system, but there is no definitive way to look at the images and ascertain whether they are legitimate, Andre Eaddy, director of cyber-security portfolio services at Unisys, told eWEEK.

However, even without additional details on what happened in the attack at the Illinois facility or the South Houston plant, attacks against critical infrastructure need to be taken seriously, Eaddy said.

"Without a question, this was not an isolated event. There will be other events to follow," Eaddy said.

There was no harm done to the sewer system, and the supervisory control and data acquisition (SCADA) system has been taken offline, South Houston Mayor Joe Soto told the Houston Chronicle. Pr0f claimed to have steered clear of causing any damage, calling such vandalism "stupid and silly."

Pr0f also blamed the utility for connecting SCADA systems to the Internet. In subsequent interviews with Threatpost, pr0f claimed the facility was running Siemens Simatic human-machine interface software that was accessible from the Internet and was protected with a password only three characters long.

"I wouldn't even call this a hack, either, just to say. This required almost no skill and could be reproduced by a two-year old with a basic knowledge of Simatic," he wrote in a post on Pastebin, a text-sharing site.

Hooking up SCADA systems to the Internet is not a security "best practice," Eaddy said, but there are a number of reasons a business might decide to do so, such as the convenience of being able to remotely monitor and manage the facility. Whether the business reason is worth the risk, depends on the organization's tolerance level, he said.

Utility companies have the responsibility to ensure their systems are reasonably secure and not to engage in "sub-par, risky practices," such as running outdated software or using applications known to be insecure, according Eaddy. Hackers aren't necessarily crafting exotic exploits or customizing new attacks, as they can target known vulnerabilities in programs that haven't been fixed, he said. These aren't zero-day bugs, but rather issues that people have known about for a long time, according to Eaddy.

"I dislike, immensely, how the DHS tends to downplay" the weaknesses of the national infrastructure, the hacker wrote on Pastebin, claiming that the South Houston breach was spurred in part to show that the Springfield attack was not an unusual incident.

According to a security writer Brian Krebs, who had access to portions of the report issued by the Illinois Statewide Terrorism and Intelligence Center about the attack in Springfield, the water utility was running a copy of phpMyAdmin, a popular Web-based database administration tool.

The attack was similar to a recent compromise of servers at the Massachusetts Institute of Technology earlier this month, the Illinois state agency wrote in the report. "The water district's attack and the MIT attack both had references to phpMyAdmin in the log files of the computer systems," the report said.

According to the National Vulnerability Database, phpMyAdmin has over 100 reported security vulnerabilities. Chester Wisniewski, a senior security advisor at Sophos, said he used to use phpMyAdmin on a personal site but uninstalled it four years ago because the software was too insecure for a "play" site.

It is becoming a common practice to connect sensitive critical infrastructure to the Internet and use off-the-shelf software to manage them for convenience and to keep costs low, "but this is bordering on criminally negligent when you are responsible for our water, power, gas and other sensitive utilities," Wisniewski wrote on the Naked Security blog.

"The Department of Homeland Security needs to do a top-down audit of these systems and mandate that these insecure practices come to an end," Wisniewski said.

Eaddy also said that it was important for industry-focused information sharing and analysis centers to do a "better job" reporting and disclosing incidents as they occur.