This doesn't surprise me AT ALL. You guys wouldn't believe some of the stuff I've seen out there. Work in the industrial automation field is largely done by individuals/companies called System Integrators. Integrators are cowboys and most of the industry is an unregulated wild-west. There is a pervasive "git-er-done" attitude; nothing else matters, security included.
(I'm a developer at one of the smaller SCADA software companies.)
Indeed, while our politicians bloviate about 'terrorism' and how safe they're keeping us, this is the reality. Notable that this occurred in Texas, where the legislature would be as likely consult Jesus about the incident as a security expert. I honestly have to wonder whether our society will be going down in flames soon due to the odd combination of reliance upon and willful, resentful ignorance of knowledge that is being promoted in public culture.
Amen to that. I do some work on the network side of control systems—and default passwords (or no passwords) are rampant, and often recommended under manufacturer guidelines. The last part there is the more worrisome.
It doesn't surprise me at all either. SCADA systems invariably seem to be ancient museum pieces pressed into service out of necessity and kept in service out of inertia.
The kind of shit I've seen in SCADA comms rooms blows my mind -- bare, homebrew breadboards screwed into 19" racks; SparcStations caked with dirt and grime; passwd files containing active accounts for people who are now dead.
The only thing I find surprising about any of this is that it doesn't happen every single day.
Well, just so you know, it's not limited to your industry. The "You guys wouldn't believe some of the stuff I've seen out there" is almost instulting given what I have seen. I guess it's just anybody out there who's been in contact the real world who can say that.
There is no way to stop people from doing this sort of thing because people are infinitely creative in ways to be dumb. The solution is not to have critical infrastructure controlled over the public internet.
Lack of clean water can cause large amounts of chaos very quickly[1]. Water infrastructure should be something that Governments want to protect.
Given that, and given weird laws about "providing help to terrorists"[2] I'm amazed that someone putting a 3 character password on something so important, and then letting it face the Internet, is not going to see jail time.
[1] See, for example, flooding in Gloucestershire, England, a few years ago. That was troublesome, but only got really bad when a local water treatment plant was flooded.
Well, well... In between developing censoring and deep packet inspection infrastructure for Iran and Egypt (in a joint venture with Nokia) and getting their PLC control software rooted by Stuxnet, Siemens makes badly secured SCADA systems for water supplies.
In the US, there was a relatively recent regulation of IT security in the form of Department of Defense Directive 8570. This directive requires IT security folks who work on DoD contracts to have a certification from one of the major certification authorities (think CISSP). Personally I'm not a fan of required certification for a number of reasons, but at least the DoD is trying to improve the quality of contractors working in IT security.
I'm going to say it: if people who work "in the real world" would release this stuff to an organization like the now-dead WikiLeaks or Anonymous, the bad press might put enough fear into a higher-level manager to actually audit their crappy systems for this stuff.
Also I think somebody ought to pass some tougher laws about leaving national infrastructure open to simple attacks. We can start with "3 years in prison for default passwords."
many many years ago, when modems were king, there was a breach similar to the 3 character password, UCB... well, the rest is history. I dont remember the details precisely, probably still can be found on some news or mailing list archives.
[+] [-] kevinherron|14 years ago|reply
(I'm a developer at one of the smaller SCADA software companies.)
[+] [-] code_duck|14 years ago|reply
[+] [-] elithrar|14 years ago|reply
[+] [-] beedogs|14 years ago|reply
The kind of shit I've seen in SCADA comms rooms blows my mind -- bare, homebrew breadboards screwed into 19" racks; SparcStations caked with dirt and grime; passwd files containing active accounts for people who are now dead.
The only thing I find surprising about any of this is that it doesn't happen every single day.
[+] [-] nakkiel|14 years ago|reply
But yeah, the real world kind of stinks.
[+] [-] briandon|14 years ago|reply
[+] [-] droithomme|14 years ago|reply
[+] [-] chrisbolt|14 years ago|reply
[+] [-] DanBC|14 years ago|reply
Given that, and given weird laws about "providing help to terrorists"[2] I'm amazed that someone putting a 3 character password on something so important, and then letting it face the Internet, is not going to see jail time.
[1] See, for example, flooding in Gloucestershire, England, a few years ago. That was troublesome, but only got really bad when a local water treatment plant was flooded.
[2] At least, in the UK.
[+] [-] throwaway64|14 years ago|reply
[+] [-] zheng|14 years ago|reply
(Unfortunately, this reads just as valid sarcastically as seriously).
[+] [-] smtf|14 years ago|reply
http://www.bmo.com/home/about/banking/privacy-security/prote...
Maybe your the victim of a Phishing attack or something, for example maybe a fake site told you you had to use 4 digits.
Honestly I've heard of a lot worse then this:
http://www.bmo.com/home/about/banking/privacy-security/how-w...
[+] [-] Kaizyn|14 years ago|reply
[+] [-] onedognight|14 years ago|reply
[+] [-] zephjc|14 years ago|reply
[+] [-] cellis|14 years ago|reply
[+] [-] Steko|14 years ago|reply
[+] [-] tripzilch|14 years ago|reply
[+] [-] fredoliveira|14 years ago|reply
"Yeah but don't forget God. System operators love to use God. It's that whole male ego thing." ;-)
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] lucisferre|14 years ago|reply
[+] [-] ryan-allen|14 years ago|reply
[+] [-] pilom|14 years ago|reply
[+] [-] lucisferre|14 years ago|reply
[+] [-] JordyB|14 years ago|reply
[+] [-] peterwwillis|14 years ago|reply
Also I think somebody ought to pass some tougher laws about leaving national infrastructure open to simple attacks. We can start with "3 years in prison for default passwords."
[+] [-] peterbotond|14 years ago|reply
[+] [-] mattdeboard|14 years ago|reply
[+] [-] zheng|14 years ago|reply