Researchers warn of SCADA equipment discoverable via Google

[InfoSec News <alerts () infosecnews org>]

http://news.cnet.com/8301-27080_3-20087201-245/researchers-warn-of-scada-equipment-discoverable-via-google/

By Elinor Mills
InSecurity Complex
August 2, 2011

LAS VEGAS -- Not only are SCADA systems used to run power plants and other 
critical infrastructure lacking many security precautions to keep hackers out, 
operators sometimes practically advertise their wares on Google search, 
according to a demo today during a Black Hat conference workshop.

Acknowledging that he wouldn't click on any link results to avoid breaking the 
law by accessing a network without authorization, researcher Tom Parker typed 
in some search terms associated with a Programmable Logic Controller (PLC), an 
embedded computer used for automating functions of electromechanical processes. 
Among the results was one referencing a "RTU pump status" for a Remote Terminal 
Unit, like those used in water treatment plants and pipelines, that appeared to 
be connected to the Internet. The result also included a password -- "1234."

That's like putting up a billboard saying SCADA (Supervisory Control and Data 
Acquisition) system here and, oh by the way, here are the keys to the front 
door.

"You can do a Google search with your Web browser and start operating [circuit] 
breakers, potentially," Parker, chief technology officer at security 
consultancy FusionX, told CNET in a break during the workshop on "Building, 
Attacking And Defending SCADA Systems in the Age of Stuxnet."

[...]


___________________________________________________________
Attend Black Hat USA 2011, hosted at Caesars Palace in
Las Vegas, Nevada July 30-Aug 4, offering over 60 training
sessions and 9 tracks of Briefings from security industry elite.
To sign up visit: http://www.blackhat.com