SCADAIn an e-mail interview with Threatpost, the hacker who compromised software used to manage water infrastructure for South Houston, Texas, said the district had HMI (human machine interface) software used to manage water and sewage infrastructure accessible to the Internet and used a password that was just three characters long to protect the system, making it easy picking for a remote attack.

The hacker, using the handle “pr0f” took credit for a remote compromise of supervisory control and data acquisition (SCADA) systems used by South Houston, a community in Harris County, Texas. Communicating from an e-mail address tied to a Romanian domain, the hacker told Threatpost that he discovered the vulnerable system using a scanner that looks for the online fingerprints of SCADA systems. He said South Houston had an instance of the Siemens Simatic human machine interface (HMI) software that was accessible from the Internet and that was protected with an easy-to-hack, three character password.

“This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this,” he wrote in an e-mail to Threatpost.

“I’m sorry this ain’t a tale of advanced persistent threats and stuff, but frankly most compromises I’ve seen have been have been a result of gross stupidity, not incredible technical skill on the part of the attacker. Sorry to disappoint.”

In a public post accompanied by screenshots taken from the HMI software, the hacker said he carried out the attack after becoming frustrated with reports about an unrelated incident in which an Illinois disaster response agency issued a report claiming that a cyber attack damaged a pump used as part of the town’s water distribution system.

A report by the Illinois Statewide Terrorism and Intelligence Center on Nov. 10 described the incident, in which remote attackers hacked into and compromised SCADA software in use by the water utility company. The hackers leveraged the unauthorized access to pilfer client user names and passwords from the SCADA manufacturer. Those credentials were used to compromise the water utility’s industrial control systems, according to Joe Weiss, a security expert at Applied Control Solutions, who described the incident on ControlGlobal.com’s Unfettered Blog.

“You know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely (expletive) the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done,” he wrote in a note on the file sharing Web site pastebin.com.

The system that was compromised was protected by a three character password, pr0f claimed – though not neccessarily the default password for the device.

Siemens Simatic is a common SCADA product and has been the subject of other warnings from security researchers. The company warned about a password vulnerability affecting Simatic programmable logic controllers that could allow a remote attacker to intercept and decipher passwords, or change the configuration of the devices.

In July, Siemens advised customers to restrict physical and logical access to its Simatic Industrial Automation products. The company warned that attackers with access to the product or the control system link could decipher the product’s password and potentially make unauthorized changes to the Simatic product.

At the Black Hat Briefings in August, security researcher Dillon Beresford Dillon Beresford unveiled a string of other software vulnerabilities affecting Siemens industrial controllers, including a serious remotely exploitable denial of service vulnerability, the use of hard-coded administrative passwords, and an easter egg program buried in the code that runs industrial machinery around the globe.

 

Categories: Critical Infrastructure, Data Breaches, Government, Hacks, SMB Security, Vulnerabilities, Web Security

Comments (48)

  1. Anonymous
    3

    While a weak lock is no excuse for committing burglary, it’s surprising how negligent tax dollars seem to be spent in this case.

  2. Anonymous
    4

    While a weak lock is no excuse for committing burglary, it’s surprising how negligent tax dollars seem to be spent in this case.

  3. pretty
    6

    The bet is 50/50 on “HMI” or “pwd” …unfortunately there is no law that describes from which point a system is open or protected.

    That security sounds more like a open system.

  4. Anonymous
    15

    We’re screwed. We have lazy dumbasses running important infrastructure.

    “Think about how stupid the average person is, then realize that 50% are stupider than that” -George Carlin

  5. Anonymous
    21

    this makes me have sad face. The county really is phucked and DHS is helping with all the downplay BS. 

  6. Anonymous
    23

    “common SCADA product”…?

    Uh, as far as we (as systems integrators, who, by the way, recommend our customers to keep their systems OFF the internet!) have been seeing, Siemens SCADA software is not the most common.  It’s either Rockwell or GE.

    When are people going to learn?  Unless your integrator needs access, unplug the $%$^ SCADA network from the internet!

  7. Anonymous
    30

    If you ABSOLUTELY MUST have your SCADA system remotely accessable (for SI access for instance) the MINIMAL acceptable solution is to have it on a network segment only accessable via VPN and authenticated by two factor authentication.  For goodness sake most corporate LANs have at least this level of protection, the drinking water system deserves at least as good as a corporate lan, donchya think?

    Air gap is best, always.

     

  8. Anonymous
    31

    “GOD” is the first that comes to mind right after se… *gg*
    oh btw, pastebin IS NOT a filesharing site..!

  9. Anonymous
    34

    Pastebin is NOT a filesharing website, please clarify that in your article it is quite simply a ‘paste site’ where text can be pasted and shared, originally for programming purposes.

  10. Anonymous
    35

    For a Romanian, that hacker writes English very well. And he/she seems to have a real interest in seeing that security is improved. Sometimes the most serious threats come from misplaced trust.

  11. Anonymous
    38

    I really hope he /she knows what they are doing and covered the tracks very well otherwise there is a bad day coming. TOR will not be enough 

  12. Anonymous
    41

    We end users in Industry need to take more ownership and refrain from throwing vendors under the bus. Siemens clearly spells out changing the default password in bold letters in their set up guide and discusses two factor authentication.

    Note
    The password “—” and all web permissions are set by default for the user entitled “Administrator”. Change this default password during commissioning to suit your requirements.
    permissions. If necessary, you can protect the Control Panel against unauthorized access.

     

    So it’s like setting up a Linksys wireless router at home and never changing the default, that’s not Linksys’s fault NOR is it Siemens!!

  13. Anonymous
    42

    Deer Applikant,

    You have bin turned down fer that innernet pozishun. My nephew is alreddy doin a reel good job. He is Microsoft sertified, too.

    Sinceerly,

    Right Hon. Cletus J. “Coach” Heiferhumper

    Distrikt 5 Kommishunner

  14. Anonymous
    47

    Ugh.  “Unless your integrator needs access”????  Forget that.  Unplug it first, ask questions later.  If somebody needs access, let them get in their car, drive to the facility, show their badge at the door, etc… 

  15. Anonymous
    48

    That is very close to the password on my luggage. Guess its time to change it….hmmm might need to add a few more numbers :-)

Comments are closed.