
Hacked Texan Water Infrastructure Had a 3 Character Password - 01PH
http://threatpost.com/en_us/blogs/hacker-says-texas-town-used-three-character-password-secure-internet-facing-scada-system-11201
======
kevinherron
This doesn't surprise me AT ALL. You guys wouldn't believe some of the stuff
I've seen out there. Work in the industrial automation field is largely done
by individuals/companies called System Integrators. Integrators are cowboys
and most of the industry is an unregulated wild-west. There is a pervasive
"git-er-done" attitude; nothing else matters, security included.

(I'm a developer at one of the smaller SCADA software companies.)

~~~
briandon
What's stopping the SCADA software companies from taking on the integration
work themselves?

~~~
jacquesgt
The big industrial automation and SCADA companies all provide some level of
application engineering/system integration services. But, it's only practical
to do the integration work in-house for large (millions of dollars in revenue
annually or tens of millions of dollars in revenue one time) customers.
Managing thousands of local teams of integrators all over the world to take on
smaller jobs would be prohibitively expensive.

For smaller, "one-off" jobs, the integration work is done by distributors or
by 3rd party integrators. Distributors will often do the integration for free
and cover the integration cost and their profit from the discount the
manufacturer gives them from list price. Most integrators do fixed-price bids
for work, and may also make money from equipment markups. In both cases, there
is a lot of incentive to do the minimum possible, especially since the
projects tend to be poorly specified.

This is all made worse by the fact that the customers tend to be technically
unsophisticated. That makes it hard for them to effectively manage projects,
and hard for them to make informed judgements when selecting suppliers.
Suppliers are usually picked based on personal relationships with the sales
team (manufacturer's or distributor's) and the in-house engineer's familiarity
with a given supplier.

Finally, the whole industrial automation industry isn't terribly glamorous.
The typical problems being solved on any given job have been solved thousands
of times before. The technology is often old and clunky (the most common
language is called ladder logic... look it up, it's good for a laugh). Being
successful requires a mixture of software, electrical engineering, mechanical
engineering, and sales skills. Since most distributors and integrators live
almost hand-to-mouth, sales skills tend to be emphasized, even among the
engineers. The engineers who are good at sales find they can make more money
doing sales. The ones who aren't salesy find there isn't much room for
advancement and move on. I'm over-generalizing, but the overall trends don't
encourage high-quality software engineering.

------
droithomme
There is no way to stop people from doing this sort of thing because people
are infinitely creative in ways to be dumb. The solution is not to have
critical infrastructure controlled over the public internet.

~~~
chrisbolt
That's just another way of saying "don't employ dumb people."

------
DanBC
Lack of clean water can cause large amounts of chaos very quickly[1]. Water
infrastructure should be something that Governments want to protect.

Given that, and given weird laws about "providing help to terrorists"[2] I'm
amazed that someone putting a 3 character password on something so important,
and then letting it face the Internet, is not going to see jail time.

[1] See, for example, flooding in Gloucestershire, England, a few years ago.
That was troublesome, but only got really bad when a local water treatment
plant was flooded.

[2] At least, in the UK.

------
throwaway64
sounds like my bank, bank of Montreal, they only allow 4 number passwords for
their e-banking shit (seriously)

~~~
zheng
But I'm sure they have some sort of lockout after 3 or so tries, right?

(Unfortunately, this reads just as valid sarcastically as seriously).

~~~
jws
This is great when the bank only has a few hundred accounts. Sure, it is
unlikely to guess a single individual, but a thief probably doesn't care who
they steal from.

------
zephjc
Was the password "H2O"?

~~~
cellis
123 or abc is my guess

~~~
droithomme
Many years ago I worked for a defense contractor who not only had 123abc as
the password for a workstation that held secret information and was connected
to the internet, but a post-it note with "password: 123abc" was kept on top of
a monitor which was visible through a window from a corridor that random
members of the public had access to. When I brought this up as possibly a poor
security practice the reaction was anger towards me, and then moving the post-
it note to the side of the monitor so it would not be visible from the window.

~~~
pilom
If there actually was Secret level classified information on a system, it is a
security infraction that that monitor is visible through a window to the
public. That contractor should have been reported to the program Security
Officer. Glad the defense contractor I work for takes things a little more
seriously.

------
tripzilch
Well, well... In between developing censoring and deep packet inspection
infrastructure for Iran and Egypt (in a joint venture with Nokia) and getting
their PLC control software rooted by Stuxnet, Siemens makes badly secured
SCADA systems for water supplies.

------
fredoliveira
this reminds me of the movie hackers.

"Yeah but don't forget God. System operators love to use God. It's that whole
male ego thing." ;-)

------
lucisferre
Given that I probably would have put "Hacked" in quotes then.

------
ryan-allen
Does anyone else think that it's only a matter of time before IT security is
going to be a regulated industry?

~~~
pilom
In the US, there was a relatively recent regulation of IT security in the form
of Department of Defense Directive 8570. This directive requires IT security
folks who work on DoD contracts to have a certification from one of the major
certification authorities (think CISSP). Personally I'm not a fan of required
certification for a number of reasons, but at least the DoD is trying to
improve the quality of contractors working in IT security.

~~~
lawnchair_larry
It's cute that they think they are trying, but CISSP really is a joke.

------
JordyB
I have always wondered how weak the passwords were on things like this. It is
a shame someone even put such a password on there.

------
peterwwillis
I'm going to say it: if people who work "in the real world" would release this
stuff to an organization like the now-dead WikiLeaks or Anonymous, the bad
press might put enough fear into a higher-level manager to actually audit
their crappy systems for this stuff.

Also I think somebody ought to pass some tougher laws about leaving national
infrastructure open to simple attacks. We can start with "3 years in prison
for default passwords."

------
peterbotond
many many years ago, when modems were king, there was a breach similar to the
3 character password, UCB... well, the rest is history. I dont remember the
details precisely, probably still can be found on some news or mailing list
archives.

~~~
mattdeboard
This may well be the vaguest allusion to a historical event I've ever seen.

~~~
morsch
Not exactly the vaguest, probably -- a couple of years ago, the pants
allusion, you know. Pretty funny & caused quite the stir in the right circles
(HTE, etc.).

~~~
mattdeboard
I don't understand what you mean but your opacity reminds me of a similar
event, which you may recall.

