Completing the trilogy of ICS-security related blog posts, a hacker recently demonstrated how easy it was to find and log in to an internet-facing SCADA system using for water management in a town in Texas. From the article on threatpost:
The hacker, using the handle “pr0f” took credit for a remote compromise of supervisory control and data acquisition (SCADA) systems used by South Houston, a community in Harris County, Texas. Communicating from an e-mail address tied to a Romanian domain, the hacker told Threatpost that he discovered the vulnerable system using a scanner that looks for the online fingerprints of SCADA systems. He said South Houston had an instance of the Siemens Simatic human machine interface (HMI) software that was accessible from the Internet and that was protected with an easy-to-hack, three character password.
For those of us who design, build, and deploy systems like this, let’s ask ourselves what would happen if a serious incident happened and significant equipment damage was done, or worst case, people were seriously injured or killed. Don’t you think the people who worked on the system would end up in court (if not in criminal court, then at least in civil court)?
When in doubt, don’t sit these things directly on the internet. There are lots of secure remote access products available (Google for “VPN”). It’s worth it.
It will be interesting to see where this leads. Maybe in the future these sorts of things will require a professional engineer to certify them before they can go into use. However, safety systems, even with today’s standards, are supposed to be independent of the SCADA system so significant injury and loss of life should be prevented regardless of whether your SCADA system is cracked. Not that these safety standards are always followed – I suppose that is where the certification will become more, and more important as time goes on.
@mawrya – good points. If you’ve been following @digitalbond, it seems like now that we have things like SafetyPLCs and programmable safety devices, there’s usually no real security on these devices either. That means if they’re on the network, and you knew the protocol, you could probably upload the safety program, modify it, and download the modified version. These things are supposed to be password protected, but (a) usually that’s only enforced at the level of the programming software, not the device and (b) there are usually ways to get around security measures anyway.
You’re right – I think we need to have Professional Engineers sign off on these systems before they’re installed and connected to the network.