Important SCADA systems secured using weak logins, researchers find

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.networkworld.com/news/2013/011513-important-scada-systems-secured-using-265833.html?source=nww_rss

TechWorld - Thousands of critical SCADA systems reachable from the
Internet are secured by dangerously weak default passwords, a survey
carried out with the help of the US Department of Homeland Security
has found.

Four leading causes of security breakdowns

According to a third-party report, Bob Radvanovsky and Jacob Brodsky
of consultancy InfraCritical used scripts run through the Shodan
search engine - 'Google for hackers' - to identify 7,200 vulnerable
logins.

After initially searching 500,000 systems, the pair whittled that list
in order to put a number to the problem of vulnerable SCADA interfaces
before reporting their findings to the DHS.

"The biggest thing is we are trying to assign a number - a rough
magnitude -to a problem plaguing the industry for some time now,"
Radvanovsky was quoted as saying.

"Until you identify the scope of a problem, no one takes steps to
change things. We're doing it on a beer budget; we hope others confirm
our results."

The list of SCADA systems included critical infrastructure as well
building automation, traffic control and red-light cameras and even
crematoriums.

"A lot of these guys want to fix things at 3 a.m. without driving
three hours in each direction. It's worth a lot to them to put it up
on the Net without thinking hard about the potential consequences,"
commented Brodsky.

"They'll presume a particular protocol is not well known. These guys
think no one will figure it out, but actually, there's a lot of
residual information available where you could figure it out. They're
not as secure as they think they are."

The DHS had contacted the controllers of the affected systems, the
researchers said, although progress to rectify the dangerous
insecurity had yet to be confirmed.

"This highlights a great weakness in critical infrastructure both in
the US and beyond: security is still firmly rooted in the 20th
century," said Chris McIntosh, CEO of security specialist ViaSat UK.

"For example, an attack on the energy grid needn't assault hubs of
power generation or sub-stations: communications lines, business
networks and even smart meters can be viable points of entry.
Incidents could involve manipulating real-time electricity grid
management equipment such as transformers and capacitors, resulting in
anything up to blackouts of entire regions."

Such systems should always use rigorous authentication and,
preferably, and encrypted channel, he said.

"Companies should be working on the assumption that their systems have
already been compromised and plan accordingly."

Nearly a year ago, the Shodan search engine was used by an independent
researcher to uncover a major flaw in Trendnet home webcams which
could allow an attacker to view private video feeds in realtime.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.