Siemens said on Tuesday that it is working with the U.S. Department of Homeland Security to investigate a cyber intrusion into a water treatment plant in South Houston, Texas, but couldn’t confirm that a default, three digit password hard coded into an application used to control the company’s SCADA software played a role.
The hacker, who goes by the handle “pr0f,” described using an easy-to-crack three character password that provided access to Siemens Simatic HMI (human machine interface) software. That description matches that of the default password that is assigned to new user accounts used with Sm@rtService and Sm@rtClient, two applications used to remotely access Simatic HMI WinCC installations, according to Siemens documentation reviewed by Threatpost.
In a statement Tuesday, Siemens said it “is aware of” the breach in South Houston in which “control graphics screen shots were taken from the system and posted on the Internet.” The company said it didn’t know of any malicious actions associated with the breach, but that it is in “close contact” with ICS-CERT to support “ongoing investigations about the incident,” Siemens said.
A Siemens spokesman could not confirm that the hack in South Houston, Texas, took advantage of a default password used by the application, or one configured by officials in South Houston. However, he acknowledged that older versions of the WinCC application do use three character default passwords.
Calls and e-mail requests to South Houston’s City Hall and Water and Sewer Department seeking comment were not returned. DHS also did not immediately respond to a request for comment.
If a Siemens default password was used in the attack, other Internet-facing Simatic HMI systems might be similarly vulnerable to remote attacks by even novice hackers. For now, however, Siemens is defending the security of its product when “properly configured and installed.”
“Siemens HMI systems…are a robust and practical solution to visualizing and controlling plant automation requirements. Installation of such systems should always consider the recommendations provided in the Siemens Operational Guidelines for Industrial Security, specifically the Siemens Industrial Security Concept.”
Siemens Simatic is widely deployed and has been the target of attacks before. Notably, the Stuxnet worm combined a hard coded password backdoor with SQL injection attacks to compromise systems running the Siemens WinCC application.
In an interview with Threatpost via instant messenger on Monday, the hacker who uses the handle “pr0f” and who has claimed responsibility for the compromise on South Houston, said that he discovered the South Houston Simatic installation using an Internet scanner he developed to look for Simatic HMI services that are accessible from the Internet. He said he doesn’t consider himself a sophisticated hacker or a SCADA expert.
“I don’t work in IT,” he conceded. Rather, he’s a hobbyist interested in the security of embedded devices. South Houston wasn’t the first SCADA system he’s hacked into, though he focuses on the HMI component of SCADA installations. “PLCs (programmable logic controllers) and other components use different services and I haven’t looked at them enough yet,” he wrote.
While he didn’t take any actions after gaining access to the South Houston Simatic installation, he believes his level of access would have allowed him to “play with a few settings; turn off components, and lock people out of the remote access service for a time,” he told Threatpost.
SCADA security experts have warned that SCADA software makers like Siemens have been slow to respond to glaring software vulnerabilities and other design flaws in their software. Writing in June, Ralph Langner, an independent SCADA security researcher, warned that critical vulnerabilities remain in Windows-based management applications and software used to directly manage industrial controllers by Siemens Inc., including WinCC.
Speaking to Threatpost, pr0f said that there is plenty of blame to spread around. Siemens struggles with product security are well documented. At the same time, pr0f said he worked with a SCADA researcher to relay some of the vulnerabilities he had found to DHS and ICS-CERT, without any response. DHS recently said it is re-evaluating whether it will continue to warn the public about all the security failings of industrial control and SCADA systems.
“I imagine the people responsible for that system are feeling the lash of His Master’s Voice right now, when it’s whoever was outsourced to install the damn thing in the first place that should be taking the flak,” he wrote.
South Houston officials responded to the incident promptly after learning of the breach, pulling the affected systems offline and changing the default password within hours, but earlier audits of the SCADA deployment could have caught such a glaring hole, pr0f claimed.
“Really, the issue is these systems are ancient and never get upgraded,” pr0f wrote.