Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Thousands of SCADA Devices Discovered On the Open Internet

Unknown Lamer posted about 2 years ago | from the easier-that-way dept.

Security 141

Trailrunner7 writes with news of the continuing poor state of security for industrial control systems. From the article: "Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget. That's mostly what comprises the arsenal of two critical infrastructure protection specialists who have spent close to nine months trying to paint a picture of the number of Internet-facing devices linked to critical infrastructure in the United States. It's not a pretty picture. The duo ... have with some help from the Department of Homeland Security (PDF) pared down an initial list of 500,000 devices to 7,200, many of which contain online login interfaces with little more than a default password standing between an attacker and potential havoc. DHS has done outreach to the affected asset owners, yet these tides turn slowly and progress has been slow in remedying many of those weaknesses. ...The pair found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums."

cancel ×

141 comments

Sorry! There are no comments related to the filter you selected.

private network (1)

Anonymous Coward | about 2 years ago | (#42550877)

sounds like some people need to get their own private networks setup with a touch of authentication...

Re:private network (1)

bbelt16ag (744938) | about 2 years ago | (#42551385)

FIRE SALE!!!

Re:private network (0)

Anonymous Coward | about 2 years ago | (#42559345)

Perhaps the DHS could employ the Anonymous to make a contribution to the situation by pointing out all the unprotected crematoriums in the country, sending a message. When the energy executives have a couple of days delay in the funeral arrangements of their parents so ruining their Vegas trip, perhaps then they start to listen.

No worries guys. (4, Funny)

Beardo the Bearded (321478) | about 2 years ago | (#42551475)

Hey guys, no worries, I went in and changed the passwords.

USA USA USA

Security by stupidity? (1)

gstoddart (321705) | about 2 years ago | (#42550879)

Wow, default passwords on things connected directly to the internet -- either the people installing these things are lazy, or the companies selling them are giving lousy security advise.

Re:Security by stupidity? (5, Insightful)

clm1970 (1728766) | about 2 years ago | (#42550905)

Part of the problem is the engineers designing them. They don't understand the sandbox they're playing in. It isn't in their culture and they don't know that they should secure them much less how to. I'm starting to see organizations hire product security engineers now to try and institute this stuff into the products but they seem way behind the curve IMHO.

Re:Security by stupidity? (2)

Synerg1y (2169962) | about 2 years ago | (#42550949)

The thing with security is... outside of the curve, there's outside-the-box thinking, comprehension and competence that are involved. You're trying to outsmart potentional attackers, not follow a white paper that they have access to. "Behind the curve" is false because there is no curve, there's just secure and insecure practices. The exploit will either work, or it won't. This only applies at the application level btw.

Outside of the curve .. (1)

dgharmon (2564621) | about 2 years ago | (#42555237)

"The thing with security is... outside of the curve, there's outside-the-box thinking"

In the interests of economy, instead of leased lines, they decided to use Microsoft Windows over the Internet, taking no steps to protect the system from hacking ...

Re:Outside of the curve .. (1)

davester666 (731373) | about 2 years ago | (#42555473)

Ah, you're familiar with our line of deluxe ATM's.

Re:Security by stupidity? (4, Interesting)

webmistressrachel (903577) | about 2 years ago | (#42551009)

Two factors have caused this - one, the assumption that those with the knowledge to cause havok have better things to do with their time, and two, the assumption by manufacturers that factory floor equipment will be physically seperated from the public (and by implication, the Internet).

All the changes that have resulted in this situation or probably very recent (10 years), and are in situations where legacy networks and equipment have been bolstered by or re-connected with new stuff by young IT-types, not engineers, who probably had no idea all the industrial stuff wasn't secured!

Re:Security by stupidity? (0)

Anonymous Coward | about 2 years ago | (#42551353)

What, two factors? How many factors does it take to secure something then?!?

Re:Security by stupidity? (2)

Billly Gates (198444) | about 2 years ago | (#42551359)

One factor that caused it. Management!

They are now used to checking their nuclear powerplant controls from their iphones (ok maybe that example is exgerated to make a point ... I hope!) If you now make it secure they will throw a hissy fit if they can't get their reports.

They will call IT to put it back on the internet to fix it. Once the cat got out of the bag it is hopeless. ... 2 factors.

The sales team sold it and told their engineers to include it too so they can sell more units. This was the selling point to upgrade and the sales people at the various SCADA makers will THROW A RIOT if it is not included as MBAs will buy from someone else who will let them do this if they wont.

Re:Security by stupidity? (0)

Anonymous Coward | about 2 years ago | (#42557301)

This is too true. I work in the area of SCADA security for a SCADA provider and thus why I am posting anon. There is also the users and what they want individual developers feel their programs should have access to. You would shudder at the conversations I have some days with people, although if you work in the security area you might actually not. At least I know I will have a job as long as I want one. Even within my building I have a hard time pushing for better security tools and configurations as our MBA types don't want to spend the money on it, and they really don't like hearing that it is a shitty idea to have devices that are connected to both the public internet and the local SCADA system.

Re:Security by stupidity? (1)

icebike (68054) | about 2 years ago | (#42551445)

and two, the assumption by manufacturers that factory floor equipment will be physically seperated from the public (and by implication, the Internet).

You have to really wonder how it is that 1) we are running out of IPV4 addresses, and 2) all these factory floor and crematoriums manage to expose their SCADA devices to the internet with public IPs

How much penetration did these researchers have to engage in to get access to things behind routers? (I ask this because I refuse to believe there are that many companies wasting public IPs on process control computers who have not heard about firewalls and VPNs).

How clueless would the IT departments have to be to allow such to happen? In an age where every high school kid can set up a router with reasonable (out of the box) security it seems ridiculous to assume some one with credentials would over look this.)

Even if there is a windows machine sitting directly on the internet (horrors) you still have to get past that to the SCADA controller.

Do we really have enough IP addresses for every valve, motor, and crematorium to be directly connected to the net?

Re:Security by stupidity? (2)

postbigbang (761081) | about 2 years ago | (#42551547)

Consider the flipside, however. My servers get attacked all the time, with known default password attempts. Sometimes it comes thru ssh when they smell the honey.

Some of this is really suspect because they should have been cracked open like an egg by now. Yes, the number of IPv4 addresses are small, but SCADA sticks out like a sore finger (pun intended).

Clueless? I'm not so sure. Honeypots? Yeah, could be. By now, they should have 'outed' or shamed a handful of these guys so as to be examples for the rest, but no one's done that. Perhaps the Hickeyville Water Company would make a good posterboy for being stupid, and the others would fall in line. So something smells here.

Re:Security by stupidity? (2, Interesting)

Anonymous Coward | about 2 years ago | (#42553171)

Railroads commonly control switch points with DTMF tones over open radio channels.

This is widely known and a dreadful safety issue but no one talks about it.

Re:Security by stupidity? (0)

Cito (1725214) | about 2 years ago | (#42555021)

on ham radio, we control our repeaters with plain dtmf tones.

for example to make a free phone call on the repeater's autopatch system here locally just key up on 146.820 (-.600 repeater shift of course) and press *7 unkey the controller will say "Autopatch activated" you will then hear dialtone, the controller is programmed to not allow long distance calls at least but you can make any phone call you wish. It's a little wonky as it's not full duplex, but works, I use it when calling home that I will be running late, and it's normally used for short less than 5 min calls by local club members. When call is done key up the radio and press # the call will terminate and the controller will respond "Call completed at xxx time"

most repeaters use default autopatch codes, you can read the default codes here: http://www.catauto.com/cat1000.html [catauto.com]

I've tried default codes all across the state and it's hilarious finding free autopatches

Re:Security by stupidity? (1)

blackest_k (761565) | about 2 years ago | (#42552813)

The Windows PC is the Scada controller I'm out of date so i could be wrong but most if not all Scada systems sit on top of windows and for a very very long time. Windows versions can be from 98 upwards.

 

Re:Security by stupidity? (0)

Anonymous Coward | about 2 years ago | (#42557103)

Some SCADA systems sit on Windows boxes, some only use Windows boxes as UIs with *NIX in the back, a lot are straight up *NIX systems (Solaris, AIX, Linux are the ones I work with).

Re:Security by stupidity? (0)

Anonymous Coward | about 2 years ago | (#42556375)

1 factor caused it. From what I read your pal tomhudson/Barbara, not Barbie worked at SIEMENS. That explains the buffer overflows since he/she claimed to be a coder. Some coder. One that got caught using multiple accounts shown above here on slashdot and he/she was run out of here, for stalking and harassing others along with you using TOR onion routers to do the same alongside her shown in the link below. Go away troll. We're not interested in your horseshit and erroneous ''computer knowledge" as was shown here http://slashdot.org/comments.pl?sid=3360735&cid=42498031 [slashdot.org]

Re:Security by stupidity? (0)

webmistressrachel (903577) | about 2 years ago | (#42556785)

Now you're proving what you're all about stupid apk.

First you tried to prove me wrong about AdBlock - and you're still wrong, you're so stupid and old that you haven't even read and understood that AdBlock prevents the browser from even using the OS to lookup anytning!

Also, your condescending assumption that I know nothing. I'm so sick of it. Take a look at yourself, scumbag, you're the one doing all the cyberstalking here!

Oh, and I've been trying to hold off on this one because of the potential backlash - but out of the HOSTS troll with the lies and the bold who's been getting modded down? Now I haven't even HAD mod points since we started arguing again, and yet I'm still posting at +2 and being modded up to 5. Do enough people like you that you can do that? No. They're modding you down, which is making you angry. Fuck off. You're making my posts look untidy.

Time to show you're a liar webmistressrachel (-1)

Anonymous Coward | about 2 years ago | (#42559027)

First you tried to prove me wrong about AdBlock - and you're still wrong, you're so stupid and old that you haven't even read and understood that AdBlock prevents the browser from even using the OS to lookup anytning! by webmistressrachel (903577) on Friday January 11, @08:44AM (#42556785)

You're lying again. Anyone's free to read your own lies quoted below right now (it was about hosts vs. adblock and you said he couldn't get the better of you):

"As for HOSTs, give it, up you can't burn anyone.

Adblock:
Web Page Parser -->URL Analyzer -->Plugins ||| BLOCK

HOSTs:
Web Page Parser -->URL Analyzer -->Plugins --> DNS Lookup --> Process HOSTS file (sometimes in RAM) -->Timeout Period for Local Webserver (10-30secs) ||| BLOCK = Slower." - by webmistressrachel (903577) on Friday January 04, @01:51AM (#42472651) Journal

Yes - Those are YOUR WORDS in error, massive error, STRAIGHT FROM -> http://slashdot.org/comments.pl?sid=3351357&cid=42472651 [slashdot.org]

Clue Dumbo: HOSTS DO IT FAR BEFORE THAT, @ OS load via tcpip.sys, see below from MICROSOFT!

(via a driver in tcpip.sys, fast as it gets & before AdBlock & before DNS queries to a DNS server, local OR remote stupid)!

NOT how you listed it above!

---

PROOF - On HOSTS querying order & that you are IN ERROR, "non-sequitur", & WRONG!

---

http://support.microsoft.com/kb/172218 [microsoft.com]

Host name resolution generally uses the following sequence:

---

The client checks to see if the name queried is its own.

The client then searches a local Hosts file, a list of IP address and names stored on the local computer.

Domain Name System (DNS) servers are queried.

---

I mean, not only are you COMPLETELY "non-sequitur" here? You're also NOW ''busted" as a fucking LIAR!

Above ALL else:

You said "us OS types don't know things you web GOOFS do"?

"OK, I'm going to explain something us "web-browser developers" know that you OS types obviously didn't know." - by webmistressrachel (903577) on Sunday January 06, @07:33AM (#42494615) Journal

FROM -> http://slashdot.org/comments.pl?sid=3360735&cid=42494615 [slashdot.org]

See above!

LMAO - Without US "OS types"?

You wouldn't have a POT TO PISS IN, period... no browsers coded by actual REAL coders? You're helpless without us.

APK

P.S.=> HELL - SEE ABOVE: YOU SHOT YOUR MOUTH OFF & GOT "SHOT DOWN IN FLAMES" by your OWN STUPID MISTAKES, stupid... lol!

... apk

Re:Time to show you're a liar webmistressrachel (0)

webmistressrachel (903577) | about 2 years ago | (#42559171)

Where's the developers of Firefox to correct you when you need them? I don't care about tcpip.sys and all that, and neither does AdBlock - which uses it's own list during page parsing, yes, just after the 1st DNS for the page and then before parts (ie ads and plugins) are loaded (and do their own DNS). Before!!!

Also, other people have told you before that your silly methods poll local webservers. i.e. 10-30 seconds for each element in your HOSTs file rubbish.

Give it up, apk, you're old hat. And black hat at that, with all your screaming abuse.

Answer a question then... apk (-1)

Anonymous Coward | about 2 years ago | (#42559267)

The ipstack (tcpip.sys) loads @ OS startup. It loads hosts that block. I already showed that much from Microsoft's own documentation, as fact!

QUESTION: Which happens first? OS load/tcpip.sys/blocking hosts load (since the IP stack loads hosts files with blocking), or browser requests that use AdBlock?

ANSWER THAT!

It's going to be a PLEASURE watching you squirm, lol... since hosts are ALREADY @ THE FINISH-LINE before Adblock even BEGINS to work (& adblock doesn't even block all ads anymore - lol, they should call it "almost all ads blocked" instead, lol).

APK

P.S.=> I am going to FLOOR YOU, & make you "SQUIRM" for your YEARS of trolling me by TOR... payback is a BITCH, no? Absolutely...

... apk

Re:Answer a question then... apk (0)

webmistressrachel (903577) | about 2 years ago | (#42559535)

Number one, never actually trolled you via TOR, just threatened to, because you were being an abusive scumbag.

Number two, it matters not one iota that tcpip and HOSTS load before Firefox, and AdBlock - it matters that AdBlock does not use HOSTS to process it's blocking and is therefore before it in the execution cycle that matters here! In fact, it makes HOSTS completely redundant, as many others have tried to tell you. In the meantime, I earn Karma because I am calm, correct, and not an abusive old scumbag bitter that SCADA and Win 3.1 are going the way of the dinosaur!!!

Re:Answer a question then... apk (-1)

Anonymous Coward | about 2 years ago | (#42559637)

Does adblock perform blocks before a hosts do? No. Hosts load @ OS startup & they are at the finish line for doing blocking before browsers or adblock even start working (adblock also doesn't block all ads anymore making it useless and redundant wasting resources since browser addons slowdown firefox, a known fact). Lastly, Your browser can't do a thing until it knows where to go online and hosts are queried first for that as well as blocking. You fail. As far as your quoted threats on using TOR to bomb apk, you are busted by your own words.

Re:Answer a question then... apk (0)

webmistressrachel (903577) | about 2 years ago | (#42559679)

Yawn, he can't even pretend to be a third party properly ;-)

Re:Answer a question then... apk (-1)

Anonymous Coward | about 2 years ago | (#42559713)

Answer the question or disprove the points posted here http://slashdot.org/comments.pl?sid=3373637&cid=42559637 [slashdot.org] your avoidance of that shows you're indeed squirming troll.

Re:Answer a question then... apk (0)

webmistressrachel (903577) | about 2 years ago | (#42559817)

I have done. Quit stressing, it makes you look old and bitter. I'm sorry that you can't face how wrong you are, both about HOSTS and the way you're treating people, but it's not really my problem. All you're doing at the moment is adding to my Karma...

Re:Answer a question then... apk (-1)

Anonymous Coward | about 2 years ago | (#42559879)

No, you did not. Answer it http://slashdot.org/comments.pl?sid=3373637&cid=42559637 [slashdot.org] it is not incorrect, you are. hosts work before browsers & adblock do, long before @ OS startup, and in order to GET to a site, the 1st thing queried by ANY CLIENT including browsers, is hosts files which Microsoft documentation proved to you. Adblock doesn't block all ads either. It is redundant & wasteful because of that, plus browser addons slow down firefox, Fact.

Re:Answer a question then... apk (0)

webmistressrachel (903577) | about 2 years ago | (#42559911)

Lalalalaaa... +1 Karma, gosh this articles' a mess; I really shouldn't bite the troll so much!

Re:Security by stupidity? (0)

Anonymous Coward | about 2 years ago | (#42559105)

A browser can't do a thing minust the ip stack (tcpip.sys). Browsers makes requests that they must resolve an ip address first to get to a site. That happens at OS startup with tcpip.sys loading, which also loads hosts files for blocking what they contain if told to do so first, long before adblock even ever operates. This makes adblock redundant and it doesn't block all ads anymore either. I read what was posted and you did indeed make threats to bomb him by using TOR too. It is obvious you use that to do multiple accounts for trolling as your friend tomhudson/Barbara, not Barbie was doing, and in those posts others said you are he-she as well. Nobody believes you, troll. Brush up on how the ip stack works also.

webmistressrachel = technically stupid (-1)

Anonymous Coward | about 2 years ago | (#42559211)

webmistressrachel caught trolling can't handle it done back to her. How droll and ironic. She can dish it out by TOR usage which she was caught making threats to apk about, but when her technical mistakes are thrown back at her in quotes of her mistakes, she tried to say it was DNS she was speaking of here http://slashdot.org/comments.pl?sid=3360735&cid=42512131 [slashdot.org] quoting her in black and white. Now she tries to say it was about adblock. Newflash: Both dns and adblock are redundant since adblock doesn't block all ads and tcpip.sys loads hosts files long before either operates. She said dns works before hosts do as well. Wrong. Microsoft's own documention proved you wrong on all accounts. Bottom line here is simple. Don't troll others and you won't get trolled. Learn how to take it as well as dish it out if you can't stop trolling, troll. Your complaints here make you look even more stupid than your technical errors shown above. You did unto others and when it's done to you, you complain? Please. Make us laugh at you even more.

Re:webmistressrachel = technically stupid (1)

webmistressrachel (903577) | about 2 years ago | (#42559483)

I never bombed anyone like this, stalking them across slashdot and claiming crazy things about their gender.

Also, you're still talking bullshit because this isn't about whether HOSTS or tcpip loads on boot, it's about whether AdBlock uses it at all (which it doesn't) and the requests to local webservers caused by HOSTS! Shut up and go away you smelly trollbag! lol I love seeing you angry.

Answer the simple question put to you here (0)

Anonymous Coward | about 2 years ago | (#42559581)

http://slashdot.org/comments.pl?sid=3373637&cid=42559267 [slashdot.org] local webservers aren't what I query going to slashdot stupid. My browser needs to resolve slashdot.org to get here in the first place. What blocks ads before that happens? Hosts do at OS loadup. They are at the finish line already before adblock or the browser begins to work for blocking. Adblock doesn't even block all ads anymore either.

Re:Answer the simple question put to you here (1)

webmistressrachel (903577) | about 2 years ago | (#42559629)

I just told you how it works, I have explained in more detail elsewhere. Since you are such a sleuth and so clever, I'm surprised you still don't get this.

Go "sleuth" and find out why. Slashdot will do just fine without you while you figure it out. And stop being so damn abusive.

Answer the question troll (-1)

Anonymous Coward | about 2 years ago | (#42559671)

Does adblock perform blocks before a hosts do? No. Hosts load @ OS startup & they are at the finish line for doing blocking before browsers or adblock even start working (adblock also doesn't block all ads anymore making it useless and redundant wasting resources since browser addons slowdown firefox, a known fact). Lastly, Your browser can't do a thing until it knows where to go online and hosts are queried first for that as well as blocking. You fail. As far as your quoted threats on YOU using TOR to bomb apk, you are busted by your own words.

Re:Answer the question troll (1)

webmistressrachel (903577) | about 2 years ago | (#42559733)

Who's posting anonymously? Who's stalking me? Replying to every post? Via AC?

Who's posting facts with her username, answered the question loads of times

Page Parser ---> AdBlock --> | Block

Page Parser ---> TCP / IP --> HOSTS --> Local Webserver Timeout.

So AdBlock first, in terms of EXECUTION, in the USER SPACE, of the BROWSER ITSELF. Shut up, you look so stupid!!!

Re:Answer the question troll (-1)

Anonymous Coward | about 2 years ago | (#42559797)

That's not what ya said before (apk corrected you?) see your words:

Web Page Parser -->URL Analyzer -->Plugins ||| BLOCK

HOSTs:
Web Page Parser -->URL Analyzer -->Plugins --> DNS Lookup --> Process HOSTS file (sometimes in RAM) -->Timeout Period for Local Webserver (10-30secs) ||| BLOCK = Slower." - by webmistressrachel (903577) on Friday January 04, @01:51AM (#42472651) Journal

Note the placement of hosts from you? It's wrong.

That happens BEFORE browsers or adblock operate at OS startup with tcpip.sys loads. Hosts are the 1st thing queried to get online or for blocking ads or bad servers too. They are at the blocking finish line before browsers or adblock even begin to work.

Adblock also doesn't block all ads and browser addons slowdown firefox, a known fact.

Yes - Those are YOUR WORDS in error, massive error, STRAIGHT FROM -> http://slashdot.org/comments.pl?sid=3351357&cid=42472651 [slashdot.org]

Just answer the question or disprove its points here http://slashdot.org/comments.pl?sid=3373637&cid=42559671 [slashdot.org] since you avoid it it shows you are caught with your pants down, as well as lying stating your debate was about DNS also before that.

Re:Answer the question troll (1)

webmistressrachel (903577) | about 2 years ago | (#42559845)

You're logic is completely flawed.

Yes, HOSTS et al. loads on startup, but isn't used by AdBlock which appears before the TCPIP stack (so is never used unless we already know a URL is ok anyway)..

If we use your method we get timeout, tcpip overhead, etc., so actually takes longer!

And stop being abusive. I am convinced that you've fixated on me in some way, it's not good for you at all.

Nobody said adblock used hosts (-1)

Anonymous Coward | about 2 years ago | (#42559977)

"Yes, HOSTS et al. loads on startup, but isn't used by AdBlock which appears before the TCPIP stack (so is never used unless we already know a URL is ok anyway).." - by webmistressrachel (903577) on Friday January 11, @01:09PM (#42559845)

Microsoft's own documentation of the IP address resolution from hostnames shows you are incorrect. Browsers can't get to a site without knowing that much. What gets queried 1st? Hosts files. Are you high? Hosts load @ Os startup with IP stack. Clients query it 1st for blocks and address resolution, without which a browser can't even start operating to get to a site. Hosts are already at the blocking finish line long before adblock starts, & the browser too (adblock doesn't block all ads by default, making it useless and redundant as well as wasteful of resources, and browser addons slow down firefox, fact).

QUESTION #1: Can your browser get to slashdot without the IP stack? Answer that.

QUESTION #2: What is queried 1st for both blocking AND hostname resolution to IP address?? Answer that

QUESTION #3: Are hosts in KERNEL MODE (ring 0/rpl 0), fastest mode of operation there is, since they are an integrated part of the IP stack??? Answer that too.

QUESTION #4: What ring of privelege do browsers and adblock, layered in over them slowing them down even more, a KNOWN fact, operate in???? Answer that also!

APK

P.S.=> You are SO "non-sequitur"/out-of-order it's UNREAL... & I am going to make you SQUIRM for it (since you've already been shown changing your story on DNS, what your order of ops was & more).. answer those, this is going to be HILARIOUSLY funny! apk

Re:Security by stupidity? (3, Interesting)

cayenne8 (626475) | about 2 years ago | (#42551105)

Regardless....

Can someone PLEASE post the links to all the red light cameras (down here they're also fucking speed cameras useful for nothing better than revenue generation which has essentially be admitted to by city)....

I'd love to be able to *ahem*....access those.

:)

Re:Security by stupidity? (0)

Anonymous Coward | about 2 years ago | (#42552791)

Here is a link of a Hak5 interview with viss. It starts at 8:40, using shodan searches, he finds quite a few vulnerable government owned systems such as red light cameras. It is worth a watch if you have time...the thing that raised my eyebrow is that the cameras he saw never stopped recording.

http://hak5.org/episodes/hak5-1211

Re:Security by stupidity? (-1, Offtopic)

fuhagaga (2812935) | about 2 years ago | (#42551357)

http://www.cloud65.com/ [cloud65.com] like Eva said I cannot believe that some people can make $5496 in four weeks on the internet. have you seen this site

Re:Security by stupidity? (2)

Flere Imsaho (786612) | about 2 years ago | (#42551801)

It's also the idiots implementing these systems. One of our international offices moved sites over the Xmas break. The contractor installing the HVAC controller at the new site wants me to open up the firewall so any public IP can access the device on port 80. Apparently it's safe because "...it's running Linux".
*sigh*

it's safe because it's running Linux? (1)

dgharmon (2564621) | about 2 years ago | (#42555305)

"Apparently it's safe because "...it's running Linux"

As compared to Microsoft Windows ...

Re:Security by stupidity? (4, Interesting)

Anonymous Coward | about 2 years ago | (#42552309)

Don't blame me, I'm just the guy that wrote the specification and the software.

- Management told me to remove security. Too much effort (what's a linter? Stop using it. Shorter passwords. Private network? Can't we just use a cable modem? "Fuzzing" ? Takes too long... turn it off)
- Management told me to remove encryption. Too hard to read and debug over-the-wire for the field tech, who might have to run a program and click a button to decode traffic. Or worse, move a jumper to "debug".
- Management had me source the cheapest possible components, and try to use software to recover from their faster and bizarre failures.
- Management had me install DHCP support into the SCADA devices, so it could be hooked onto the easiest possible network.
- Management had me unlock the cellular modem so it would connect to any tower.
- Management had me use public DNS in my SCADA system, because running our own would have cost an afternoon.
- Management had me write a 4 digit backdoor PIN into all hardware, that could not be turned off.
- Management had me specify, design, and write a remote firmware flash interface supporting and utilizing most of the above.
- Management had me write a remote reverse serial console proxy available by pointing your web browser at the right URL.
- Management had me use public rdate servers rather than pay for an accurate internal clock.

Look, I'm just a software engineer. I know a bit of hardware. I let people know when things are dangerous. I quote them times and estimates and costs.

I quote them expected failure rates.

They settle on the cheapest most disease-ridden stray cat they can find starving in a ditch and sell it as a liger. And your engineers somehow buy it.

Look, I may not know everything about securing them -- but most of these problems aren't caused by inept engineers, they're caused by management and sales cutting corners to buy their third porsche.

I'd *LOVE* to see a reverse bounty program. Sell the management induced bugs in your software to a company client for legal protection against lawsuit, and five years of contractual consulting rates to clean it up.

Re:Security by stupidity? (1)

LeadSongDog (1120683) | about 2 years ago | (#42558595)

Look, I'm just a software engineer.

Don't call yourself an engineer if you wont do your duty to the public.

Re:Security by stupidity? (5, Interesting)

some old guy (674482) | about 2 years ago | (#42553327)

As a SCADA/Integration guy, I can say that most controls engineers cringe at the thought of their networks being open to the internet. It's usually managers and bean counters who demand real-time global data reporting who drive this lunacy. It's not as simple as it appears.

Re:Security by stupidity? (1)

tzanger (1575) | about 2 years ago | (#42556927)

I've lived in the industrial controls world for quite a while before striking it out on my own... "real-time global data reporting" doesn't require a world-accessible control interface, or even an open internet connection. It's much simpler than you're making it out to be. Hell a basic VPN connection back to HQ that puts the remote sites on the corp LAN (where all the data aggregation can take place and be accessed for "dashboards" and whatnot) would be a major step up.

Re:Security by stupidity? (4, Informative)

Anonymous Coward | about 2 years ago | (#42554557)

I worked as a Controls Engineer for 6 years designing, installing, and commissioning PLC / SCADA systems. The clients were anything from large steel mills, manufacturing plants, government, and even propulsion systems for naval vessels. My company was contracted to install these systems and sometimes train the customer's personnel to then handle problems or make additions to the control system if necessary.

The personnel were more often than not your normal plant electricians and if we were lucky an actual engineer, but usually not one with much IT ability. Today's controls systems almost always have a normal Ethernet network sometimes utilizing commercial OTS network switches. This is a big change from 10-15 years ago when the communication media was mostly proprietary for control networks.

When a problem arose I've seen these guys just unplug and plug in CAT5E Cale's wildly in the hopes of rectifying a problem that brought a process line or machine to a hault without much thought as to where the issue lies. Other times the plant manager will want to view the SCADA data from his office so he will instruct an employee to just bridge the control network to the business / office network.

It's really not the fault of the people designing the systems. In the end the company that owns it takes the blame. The vast majority of customers will not pay extra to have their employees trained on these systems and I've never seen one concerned with security. My company sent me to Certified Ethical Hacking training in order to try and make our systems more secure, but in the end the systems integrator's hands are tied.

Following orders (2)

ThatsNotPudding (1045640) | about 2 years ago | (#42556471)

I would blame the engineers less than the vapid, bonus-seeking salesmen telling them to make access as stupid and easy as possible to allow mid-level managers to check in on things without having to get off their asses or sometimes even off the golf course. As usual, most of the blame can be laid at the foot of that three letter monument to sloth and incompetence: MBA.

Re:Following orders (0)

Anonymous Coward | about 2 years ago | (#42557489)

Heh... It's not so much the MBAs that's the problem- it's that you've got people that can't handle finding their *ss with both hands, a road map, and a locator beacon, being taught that they can manage anything with nothing more than the MBA education they got. Worse, you've got people where their problem is obvious [typepad.com] (and still can't find their *ss) and they're teaching the other fools that they can manage things without honestly knowing a damned thing about what they're managing.

With the grounding in the space you're managing, and with the understanding that not all MBA taught subjects are worth bothering with (For example, while Six Sigma's a good methodology for improving quality in some cases, it's not a magic bullet and it can, even if it's used right, blind you to other problems within your company. Six Sigma's about trying to produce repeatable results- but if you're producing failures or the market took a turn and what was a success is now a failure, you're not going to see the problem if you're relying on Six Sigma, Kaizen, etc. Just look at the company that brought Six Sigma to the limelight- Motorola's now fragmented into a bunch of itty-bitty pieces of it's former self and is viewed as the joke of the entire mobile industry... Six Sigma blinded them to the reality that they had problems, amongst other things.) then it's actually a bit of a useful thing.

It's that it's easy to "educate" vapid middle-level managers and above into thinking they're accomplishing something that you should talk to there- it's the symptom, not the monument you're honestly talking to there. And they're easily swayed by a slick talking NPD/BPD salesman that's just shy of a con-artist if not one.

Re:Security by stupidity? (1)

Rogue974 (657982) | about 2 years ago | (#42559445)

I am a Controls Engineer and have worked at several companies and you are right on part of the problem.

There is more to it though. At many places, there is fighting between IT and Controls because IT thinks they know everything about how every computer should work and every network. They come in and try and make changes to fit their standards without realizing they just shut down production.

I have had some IT people that I fought with all the time, some who have ignored me and let me do my thing and a few who have listened and helped me secure my network better. This is the exception to the rule though and way to many IT people won't listen to the requirements the Controls people have so we end up fighting and trying to stay away when we could work together and build a separate secure controls network.

Attitudes are starting to change though and DHS and vendors are starting to educate Controls and IT both whenever they will listen so they can secure their networks. Current place I work, the CEO and IT Steering committee both saw the light and while we have done a good job securing our networks, they have agreed to allow us to build the security standards and protocols set out by DHS and vendors.

Vendors also have never built their equipment with security in mind and are starting to make some changes there, but they are not there yet.

Re:Security by stupidity? (2, Insightful)

Anonymous Coward | about 2 years ago | (#42550927)

I was just talking to my boss about this subject today. The merging of mechanical and network engineering is still considered a "new" development, often times the engineers designing the system for a building doesn't fully understand the IT that it rides on. It's a problem, and it's being addressed, but as the submission states there's a huge lag time with huge companies, so it'll continue to be a problem for a while.

Still shocked although should be expected. (3, Insightful)

dogsbreath (730413) | about 2 years ago | (#42552305)

I was just talking to my boss about this subject today. The merging of mechanical and network engineering is still considered a "new" development, often times the engineers designing the system for a building doesn't fully understand the IT that it rides on. It's a problem, and it's being addressed, but as the submission states there's a huge lag time with huge companies, so it'll continue to be a problem for a while.

Very insightful but the problem is worse than just the merging of mech/network engineering within a single company. There is a sea of dysfunction washing over the different companies, systems, processes, players and roles. There is a big mess to clean up and although it galls me to say so, I think some sort of legislation may be required both in terms of setting standards and of assigning accountability for poor systems. I won't hold my breath waiting for help on this side.

Some stuff I know to be true:

- CEOs & CFOs are motivated by share price and stock performance issues; they consider IT infrastructure to be an expense item to be minimized. Security devices are cheap but no in house expertise is fostered, and external advice may be poor or ignored if it leads to inconvenient costs. Truck drivers and drag-line operators are valued positions at a mining company because what they do generates income and income to cost is readily calculated; network designers and IT security admins are just an expense item to be minimized. They generate no obvious positive monetary benefit. More trucks/draglines/drivers/operaters = more income and more profit. More IT people = less profit.

- Equipment vendors may be experts at their specific technology but the control programs are not part of their core knowledge. An example I have seen: although the vendor uses some robust logic controllers in the system, they all tie back to a custom control layer built originally by a summer co-op student for a lab demo. The control program does have login security but has never been through any sort of security audit. All system functionality funnels through this layer. It does have a beautiful presentation layer built by a contract software house. BTW, although the login has some protection, by default there is a network API that is always wide open and can not be shut off or everything crashes. No one knows why. If Production Company A buys production equipment from Vendor Company B, the security vulnerabilities are provided at no extra charge. None of the security issues are documented by B (they largely don't know they exist) and B has no good advice to offer on security issues in any case. The sales droids typically say security is not an issue and their track record speaks for itself. No serious events must mean the product is great.

- Even if production security is seen to be an area of need, corp culture and politics keep anything meaningful from happening. The IT expertise that a company does have is usually focused on internal desktop and financial/HR security issues. They know nothing of the SCADA world which marries physical devices to the abstract world of networks and computing. Worse, the IT division (complete with VP or EVP) views any use of computers and networks outside of the corporate LAN to be a threat to the corporate well being. The IT division sees the production network as a threat to the corporate LAN (usually the threat is worse in the other direction!) so production must run outside the corporate firewalls. This is ok, but IT management actively undermines development of a production side IT division as that is a threat to the corp. power structure. Production networks are built and run by engineers who are smart and have a side interest in computing but whose areas of expertise are power control or chemical production or mechanical systems.

- There is no widely accepted set of standards for production network design and deployment. Production network implementers invent the wheel again and again. If a network solution seems to work, even though it has serious hidden / not-so hidden flaws, the solution design is copied again and again.

- Production systems often have multiple connection points to corporate systems. eg: Power generation systems may feed data into an energy marketplace system. Multiple plants of different age, design, and capability may have literally dozens of interconnections to upstream/downstream systems. Even with competent IT oversight, many security compromises may have to be made just to glue stuff together.

- Physical sites may be remote, unattended and easily exploited. Often physical access is the same as root access to a system. Network endpoints can be a window into a huge opportunity for a villain. Say a production network is isolated from the internet and all traffic is encrypted and authenticated; if just one isolated endpoint has two way access to the entire production network then the net might as well be open to the internet. The fact that we don't hear of this speaks to the obscurity of the issue and not to the robustness of SCADA sites/systems/networks.

- Finally, not every critical system has a viable corporate shell around it. The resources may simply not be available to do any kind of security / network planning. In my rural area, there is a family run wireless internet company that serves a diverse and thinly spread population. Pop climbs the towers and installs the antennas / changes the hazard lighting. #1 son installs clients and mom does the books and does the config of new clients. They also farm and work at jobs in town (gotta subsidize the farm). There is at least one gas plant and one fractioning site that are each remotely controlled and monitored over this system. (er . . . I know this because I recognize the antennas and where they point). Although they provide a good service and price, the family is more likely to be watching a hockey game in the evening or bailing hay instead of boning up on wireless network threats. I KNOW this particular network is likely a nice place to camp and exploit/infiltrate a control stream. Have never tried to attack the network and never would but I know something of the design. I ran an SNMP manager on my laptop at home and was surprised to see a scan turn up something more than my wind/solar/weather devices. Wireless systems from Motorola. Sigh.

Re:Security by stupidity? (3, Interesting)

khasim (1285) | about 2 years ago | (#42550997)

There are a LOT of idiots out there who do installations.

At one place I worked, contractors went into a remote office to install a phone system and ended up wiring a Win2003 server directly to the Internet (and the internal network) so that they could log into it to make changes to the phone system.

Re:Security by stupidity? (0)

Anonymous Coward | about 2 years ago | (#42551041)

I've got a honeypot set up. It's been running for over a week now and only one user managed to "break" in and all he did was rm -rf /* and that was it.

Re:Security by stupidity? (1)

Anachragnome (1008495) | about 2 years ago | (#42551587)

"I've got a honeypot set up"

So does Homeland Security...thousands of them.

Re:Security by stupidity? (1)

MarkGriz (520778) | about 2 years ago | (#42551289)

either the people installing these things are lazy, or the companies selling them are giving lousy security advise.

"It's not that I'm lazy.....It's that I just don't care"

Re:Security by stupidity? (1)

Technician (215283) | about 2 years ago | (#42551427)

Or are honey pots to look for threats.

Re:Security by stupidity? (1)

NatasRevol (731260) | about 2 years ago | (#42551495)

7,200 of them?

Re:Security by stupidity? (4, Interesting)

war4peace (1628283) | about 2 years ago | (#42551659)

I saw a gas station and one of the pumps there was in "maintenance mode" or something. Anyway, it wasn't working and on a little LCD display on its body there was an IP address. It wasn't a private IP so I noted it down and when I got to work I tried accessing it through HTTP. Well, what do you think? A nice web-based username+password interface popped up.

Now I ain't a hacker and I really didn't try anything, but I'm sure a skilled security professional would have hacked right through that interface. It's really amazing how many poorly secured interesting devices are out there.

Red light cameras? (3, Funny)

mspohr (589790) | about 2 years ago | (#42550907)

So... how do I find the red light cameras?
Sounds like this could be fun!

Re:Red light cameras? (1)

Forty Two Tenfold (1134125) | about 2 years ago | (#42553649)

Cam4? BTW Dude, what's with your sig!?

Re:Red light cameras? (1)

mspohr (589790) | about 2 years ago | (#42559673)

I found I was wasting a lot to time reading irrelevant sigs so I turned off sigs in my settings.
My sig attempts to encourage others to realize the waste of time in reading sigs.
However, if you like to read sigs, please continue to do so (and I hope you will enjoy mine).

Surprised at the number in use (1)

Black Jack Hyde (2374) | about 2 years ago | (#42550951)

I thought Recount was a lot more popular than Scada.

Re:Surprised at the number in use (0)

Anonymous Coward | about 2 years ago | (#42558387)

Coffee... Meet screen. Well played sir, well played indeed.

now i can mine my own diamonds and platinum (1)

alen (225700) | about 2 years ago | (#42550963)

just in time for my 10th anniversary

So I can log into the live crematorium feed... (1)

BMOC (2478408) | about 2 years ago | (#42551013)

...and modify the setpoint temperature on Grandma's final journey?

Re:So I can log into the live crematorium feed... (0)

Anonymous Coward | about 2 years ago | (#42551109)

...and modify the setpoint temperature on Grandma's final journey?

its probably running linux too

Fire-Sale in the near future? (-1)

Anonymous Coward | about 2 years ago | (#42551055)

Now waiting for "Thomas Gabriel" to emerge and shutdown the natoin. I'm sure homeland security is just shrugging right about now and saying "we'll take it under advisement". (having Die Hard 4 flashback here people)

Not a surprise. (5, Informative)

Anonymous Coward | about 2 years ago | (#42551129)

I have worked for a large world wide organisation where SCADA and similar on-line systems are very prominent. After raising concerns and asking ports to be locked down or default passords to be changed, there was a lot of departmental fighting over who's responsibility and usually after the battle royal of e-mails everyone would forget until the issue was brought up again.

Too much of a not broke don't fix attitude in smaller companies and bureaucracy in larger companies over responsibility.

Re:Not a surprise. (1)

bbelt16ag (744938) | about 2 years ago | (#42551529)

well, they are just going to get their asses handed to them when their customers are with out services or/and are in danger because of it. We'll see who is to blame once the smoke clears..

Re:Not a surprise. (1)

Anonymous Coward | about 2 years ago | (#42552177)

Bah Humbug. I also worked at a place like that; on the engineering side though, not the IT side: It's often the case (in my experience) that the SCADA systems are coded in such-and-such a manner as to expect so-and-so ports to be open.

IT comes down and tells people 'oh no you have to lock all these systems down; kill all ports except HTTP and SSH' or some such.

But, you know.. We're actually using these ports. We can't just 'turn them off' as if this was some kind of Ruby-On-Rails website that for some reason was also running as an open relay MTA..

So the conflict ends up being about time constraints and billable hours; who is going to pay for the hundreds of engineering man-hours to rewrite software to make it work via web-services over SSH instead of port 12345 running Bubba's binary bit-bashing protocol? IT? And what about the opportunity cost of not being able to use those engineering budget dollars on developing new products?

Re:Not a surprise. (1)

Anonymous Coward | about 2 years ago | (#42555893)

You mention SSH. SSH does have this thing called port forwarding, you can tunnel traffic through an SSH connection. More flexible are Virtual Private Networks. You can also limit access to known IP addreesses. There is no reason AT ALL why these ports should be accessible over the internet for everyone. If the SCADA system itself doesn't provide adequate security put it behind a device that does. You can still use these ports, but not everyone can. It doesn't have to be on or off, it can be on for who's authorized and off for others.

Give them a kick up the ass (5, Interesting)

viperidaenz (2515578) | about 2 years ago | (#42551161)

Pay a couple more people to go through the list regularly and poke around, turn things on and off. Make it hotter on cold days and colder on hot days. Take pictures of cars running green lights, shut down all but one elevator, etc...

Just being mindful not to hurt anyone.

It'll soon be cheaper to fix the problem than to waste resources cleaning up the mess.

Re:Give them a kick up the ass (2, Funny)

tool462 (677306) | about 2 years ago | (#42551311)

I'd just set the furnace at the crematorium from "Original Recipe" to "Extra Crispy".

Re:Give them a kick up the ass (1)

Billly Gates (198444) | about 2 years ago | (#42551383)

Nope they will just fire the IT guy for not securing. No change there as management feels other cost center IT guys can do it just fine and their reports are more important.

Re:Give them a kick up the ass (0)

Anonymous Coward | about 2 years ago | (#42551837)

The next thing you know, corporate culture!

"In this facility, on the 3rd of March every year, when the sun crosses that pole over there, you dial this knob down by 3.5 clicks. You got that rookie?"
"but, er, why?"
"Just do it! stop talking and keep listening, we have a huge list to go through."

"slow in remedying" - LOL (-1)

Anonymous Coward | about 2 years ago | (#42551513)

There is no such word as "remedying". "Remedy" is a NOUN.

Just like "leverage" is a noun.

Just like 'A.I.D.S.' is an acronym, and 'Aids' means "Journalists are too stupid to remember how to write "A.I.D.S." so they will try to redefine the language, rather than admit they are wrong.

Fucking Americans. "Remedying" indeed. You morons.

I wonder which country gave us that hideous phrase "an abundance of caution", and which group of people it was? Why, American journalists! Or more likely, a JEWISH journalist! What a combination.

It's been this way a LOOONNNGG time... (0)

Anonymous Coward | about 2 years ago | (#42551557)

I remember reading that this was the real cause of the northeast blackout of 2003. Well this combined with MS Blaster. Apparently MS Blaster was causing the SCADA systems controlling power distribution between plants to frequently reboot, until enough of them were simultaneously down for the whole system to fail.

How about eavesdropping (0)

Anonymous Coward | about 2 years ago | (#42551709)

by telephone companies? They don't even need a warrant....

Was I the only one? (3, Funny)

Vitriol+Angst (458300) | about 2 years ago | (#42552109)

When I read; large mining trucks I immediately thought how awesome it would be for geeks to take them over via SCADA devices.

Wow, the large dirt hill fights you could have. The swimming pools of snobby rich people, mysteriously filled in. Monster truck rallies interrupted by attacks of 7 story Mega Monster Trucks. The sheer coolness of surrounding WalMarts with huge walls of landfill waste.

"I'm down here at city hall, and it's absolute mayhem. A large truck, bigger than the building in front of me, is now rolling over all the toll booths, after dumping a huge pile of what must be a mouton of coal on the doorstep of Matty Moroun's estate."

Re:Was I the only one? (1)

aphelion_rock (575206) | about 2 years ago | (#42554849)

GTA only live!

Re:Was I the only one? (1)

Bob the Super Hamste (1152367) | about 2 years ago | (#42557639)

Those giant mining trucks aren't 7 stories tall only 3 to 4 story range, the shovels they use are probably in the 7 story range. Personally I would love to see a rampaging bucket wheel excavator but those things are really damn slow. The 400 ton (363 metric tons) trucks can really get up and haul ass as they can top out at about 45 mph and have a G.V.W. of 1,375,000 lbs (623,700 kg). As my oldest son (4 years old) put it the first time he was up at Mine View in the Sky "They have a big dump truck [constructi...ipment.com] and a little dump truck." With big and little being relative terms and meaning the big one was a 240 ton truck and the little one only being a 100 ton truck

Post The List (0)

Anonymous Coward | about 2 years ago | (#42552137)

Post the list.
Hilarity ensues.
Stuff gets fixed.
Profit.

Life as usual.

My God (0)

countach (534280) | about 2 years ago | (#42552437)

Imagine the body count when Al-Qaeda hack into these crematoriums. It will make 9/11 look like a small incident.

So where was NERC? (1)

kilodelta (843627) | about 2 years ago | (#42552887)

I mean - NERC is supposed to cover most all of that. It proves utilities all over the U.S. ignored NERC standards.

I found an L55 on the internet once (4, Interesting)

karlandtanya (601084) | about 2 years ago | (#42552897)

From the program in it, I guess it was a demo, not running anything.

I found it completely by accident by searching for the part number of one of the modules that happened to be in the chassis with the controller and the ethernet bridge. The ethernet bridge has its own web page which automatically displays the contents of the chassis, with links to the modules.

I added a controller-scoped tag to it called "ICanSeeYouFromTheInternet", and a tag description of "Please put your ENBT on a private network"
A couple days later it was gone.

SCADA DooDah (4, Informative)

rueger (210566) | about 2 years ago | (#42553007)

For those not overly up to date on their acronyms: "SCADA (supervisory control and data acquisition) is a type of industrial control system (ICS). Industrial control systems are computer controlled systems that monitor and control industrial processes that exist in the physical world. SCADA systems historically distinguish themselves from other ICS systems by being large scale processes that can include multiple sites, and large distances." http://en.wikipedia.org/wiki/SCADA [wikipedia.org]

Threatpost = Kaspersky politics = more lost rights (-1)

Anonymous Coward | about 2 years ago | (#42553793)

Over and Over, I hear this seed story propaganda fear mongering from the same sources. DHS, Kaspersky, Threatpost, Slashdot (the parrot - "Brack" got a cracker?)
Several YEARS passed-by now to fix the problem, and instead we get these draconian laws which don't fix jack, some TOOL in DHS does a samspade lookup on an attacking IP and boom suddenly China is attacking US infrastructure, Level up, War on Terror, Fear, Patriotism stirs people begging for a solution, back comes DHS, Kasper, and TP with provided solution, Give up more liberty for Zero Security.

Turns out the last scada attacks came in on a USB stick, physically carried in!

If I am Engineer, and I have life threatening, unprotected scada crap connected to the web, (or telephone line) or wireless, it's going to be fixed by being re-located behind a dedicated firewall, or hiring a BODY to physically stand there and cycle the switch, valve, pump. IF something happens and I haven't done this I AM RESPONSIBLE.

  So, go sick the dogs after the OWNERS/ENGINEERS MALFEASANCE/MISFEASANCE, AND THE CRIMINAL ATTACKERS, not the constitution and bill of rights. There already are enough laws, common bloody sense, and knowledge of electronics, electrical, hardware, programming, and when to say, "that's it put a PHYSICAL BODY there cause it can't be secured!" is what is needed now. Not this constant legal crackdown, meanwhile the threads, blogs and mbs's are all snickering about it instead of providing solutions. They don't snicker when the NDAA comes, so why all the snickering about these SEED PROPAGANDA STORIES?

Turn off the fucking TV, fuck threatpost, kasper and DHS and you fucking SEED STORY PROPAGANDA commies!

Try heise security without the politics instead!

Re:Threatpost = Kaspersky politics = more lost rig (-1)

Anonymous Coward | about 2 years ago | (#42553837)

Turns out the last scada attacks came in on a USB stick, physically carried in!

They lied to us, and tried to use your stupidity about the matter.
IF you carry a usb stick in, that has nothing to do with the web!
The official story was used as a false flag OP for internet crackdown!

Further more hiring BODIES to cycle valves, switches, actuators, pumps will create JOBS, so people can make money, and pay bills.
The whole problem was saving money and convenience, and now an excuse to squeeze the people for money and civil rights.

FUCK THAT SHIT!

Blame me (4, Informative)

AB3A (192265) | about 2 years ago | (#42554419)

My name is Jake Brodsky. I worked with Bob Radvanovsky and others to create this experiment.

The formal announcement of this project is here [infracritical.com] .

It's the manufacturers, engineers, and installers (2, Insightful)

Anonymous Coward | about 2 years ago | (#42554583)

There are controls systems and controls software with passwords hard coded and some that are even burned into ROM - not EEPROM. The problem is that manufacturers have to be able to provide tech support and sometimes that tech support is to non-tech people. The prevailing attitude when I worked in the field was " who would be interested in the system anyway?" Security based on apathy I guess...
          IT people used to avoid the SCADA equipment because they needed to understand how their security settings might affect interaction between SCADA's and controllers and they were intimidated - a mistake could cause a product spill or worse.
          So, IT was tentative about maintaining SCADA's, engineers were apathetic and couldn't accept that a hacker might be interested in a computer system, and manufacturers wanted to be sure that service could be provided over the phone or net to any idiot no matter their training level.

Is it any wonder that we have numerous SCADA systems running with minimal if any security?

Who in their right mind? (1)

dgharmon (2564621) | about 2 years ago | (#42555195)

"an initial list of 500,000 devices to 7,200, many of which contain online login interfaces with little more than a default password standing between an attacker and potential havoc"

Just who in their right mind, in this day-and-age connects SCADA devices directly to the Internet using the default password.

just shut it all down (0)

Anonymous Coward | about 2 years ago | (#42556419)

DHS could just go in there and shut the place down. That might get the message across. And for the record, what I meant was physically go to the site's management with a court order and shut them down, not hack in and turn off equipment without knowing the consequences. It could all be reversed in a couple of hours, once the managers and admins get on the same page and lock it all down.

Ah so the DHS is passing out... (1)

3seas (184403) | about 2 years ago | (#42556791)

... internet condoms?

Re:Ah so the DHS is passing out... (1)

Bob the Super Hamste (1152367) | about 2 years ago | (#42557675)

Sounds like an action they would take.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?