Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Cloud
    • Cloud
    • Cybersecurity
    • Networking

    Poor Passwords, Weak Software Make SCADA Systems Vulnerable to Attack

    Written by

    Fahmida Y. Rashid
    Published November 21, 2011
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Security professionals have been sounding the alarm about protecting critical infrastructure from cyber-attackers for a while, and recent incidents show that attacks are very likely.

      Shortly after reports emerged of cyber-attackers breaching a city water utility network in Springfield, Ill., and damaging a water pump, another hacker, going by the name “pr0f” targeted a city water utility in South Houston, Texas, to show how easy it was to compromise the industrial-control systems at these facilities. He posted screenshots purported to be taken after breaching the system, but there is no definitive way to look at the images and ascertain whether they are legitimate, Andre Eaddy, director of cyber-security portfolio services at Unisys, told eWEEK.

      However, even without additional details on what happened in the attack at the Illinois facility or the South Houston plant, attacks against critical infrastructure need to be taken seriously, Eaddy said.

      “Without a question, this was not an isolated event. There will be other events to follow,” Eaddy said.

      There was no harm done to the sewer system, and the supervisory control and data acquisition (SCADA) system has been taken offline, South Houston Mayor Joe Soto told the Houston Chronicle. Pr0f claimed to have steered clear of causing any damage, calling such vandalism “stupid and silly.”

      Pr0f also blamed the utility for connecting SCADA systems to the Internet. In subsequent interviews with Threatpost, pr0f claimed the facility was running Siemens Simatic human-machine interface software that was accessible from the Internet and was protected with a password only three characters long.

      “I wouldn’t even call this a hack, either, just to say. This required almost no skill and could be reproduced by a two-year old with a basic knowledge of Simatic,” he wrote in a post on Pastebin, a text-sharing site.

      Hooking up SCADA systems to the Internet is not a security “best practice,” Eaddy said, but there are a number of reasons a business might decide to do so, such as the convenience of being able to remotely monitor and manage the facility. Whether the business reason is worth the risk, depends on the organization’s tolerance level, he said.

      Utility companies have the responsibility to ensure their systems are reasonably secure and not to engage in “sub-par, risky practices,” such as running outdated software or using applications known to be insecure, according Eaddy. Hackers aren’t necessarily crafting exotic exploits or customizing new attacks, as they can target known vulnerabilities in programs that haven’t been fixed, he said. These aren’t zero-day bugs, but rather issues that people have known about for a long time, according to Eaddy.

      “I dislike, immensely, how the DHS tends to downplay” the weaknesses of the national infrastructure, the hacker wrote on Pastebin, claiming that the South Houston breach was spurred in part to show that the Springfield attack was not an unusual incident.

      According to a security writer Brian Krebs, who had access to portions of the report issued by the Illinois Statewide Terrorism and Intelligence Center about the attack in Springfield, the water utility was running a copy of phpMyAdmin, a popular Web-based database administration tool.

      The attack was similar to a recent compromise of servers at the Massachusetts Institute of Technology earlier this month, the Illinois state agency wrote in the report. “The water district’s attack and the MIT attack both had references to phpMyAdmin in the log files of the computer systems,” the report said.

      According to the National Vulnerability Database, phpMyAdmin has over 100 reported security vulnerabilities. Chester Wisniewski, a senior security advisor at Sophos, said he used to use phpMyAdmin on a personal site but uninstalled it four years ago because the software was too insecure for a “play” site.

      It is becoming a common practice to connect sensitive critical infrastructure to the Internet and use off-the-shelf software to manage them for convenience and to keep costs low, “but this is bordering on criminally negligent when you are responsible for our water, power, gas and other sensitive utilities,” Wisniewski wrote on the Naked Security blog.

      “The Department of Homeland Security needs to do a top-down audit of these systems and mandate that these insecure practices come to an end,” Wisniewski said.

      Eaddy also said that it was important for industry-focused information sharing and analysis centers to do a “better job” reporting and disclosing incidents as they occur.

      Fahmida Y. Rashid
      Fahmida Y. Rashid

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.