Was The Three Character Password Used To Hack South Houston’s Water Treatment Plant A Siemens Default?

Siemens said on Tuesday that it is working with the U.S. Department of Homeland Security to investigate a cyber intrusion into a water treatment plant in South Houston, Texas, but couldn’t confirm that a default, three digit password hard coded into an application used to control the company’s SCADA software played a role. 

SimaticSiemens said on Tuesday that it is working with the U.S. Department of Homeland Security to investigate a cyber intrusion into a water treatment plant in South Houston, Texas, but couldn’t confirm that a default, three digit password hard coded into an application used to control the company’s SCADA software played a role. 

The hacker, who goes by the handle “pr0f,” described using an easy-to-crack three character password that provided access to Siemens Simatic HMI (human machine interface) software. That description matches that of the default password that is assigned to new user accounts used with Sm@rtService and Sm@rtClient, two applications used to remotely access Simatic HMI WinCC installations, according to Siemens documentation reviewed by Threatpost.

In a statement Tuesday, Siemens said it “is aware of” the breach in South Houston in which “control graphics screen shots were taken from the system and posted on the Internet.” The company said it didn’t know of any malicious actions associated with the breach, but that it is in “close contact” with ICS-CERT to support “ongoing investigations about the incident,” Siemens said.

A Siemens spokesman could not confirm that the hack in South Houston, Texas, took advantage of a default password used by the application, or one configured by officials in South Houston. However, he acknowledged that older versions of the WinCC application do use three character default passwords.

Calls and e-mail requests to South Houston’s City Hall and Water and Sewer Department seeking comment were not returned. DHS also did not immediately respond to a request for comment.

If a Siemens default password was used in the attack, other Internet-facing Simatic HMI systems might be similarly vulnerable to remote attacks by even novice hackers. For now, however, Siemens is defending the security of its product when “properly configured and installed.”

“Siemens HMI systems…are a robust and practical solution to visualizing and controlling plant automation requirements. Installation of such systems should always consider the recommendations provided in the Siemens Operational Guidelines for Industrial Security, specifically the Siemens Industrial Security Concept.”

Siemens Simatic is widely deployed and has been the target of attacks before. Notably, the Stuxnet worm combined a hard coded password backdoor with SQL injection attacks to compromise systems running the Siemens WinCC application.

In an interview with Threatpost via instant messenger on Monday, the hacker who uses the handle “pr0f” and who has claimed responsibility for the compromise on South Houston, said that he discovered the South Houston Simatic installation using an Internet scanner he developed to look for Simatic HMI services that are accessible from the Internet. He said he doesn’t consider himself a sophisticated hacker or a SCADA expert.

“I don’t work in IT,” he conceded. Rather, he’s a hobbyist interested in the security of embedded devices. South Houston wasn’t the first SCADA system he’s hacked into, though he focuses on the HMI component of SCADA installations. “PLCs (programmable logic controllers) and other components use different services and I haven’t looked at them enough yet,” he wrote.

While he didn’t take any actions after gaining access to the South Houston Simatic installation, he believes his level of access would have allowed him to “play with a few settings; turn off components, and lock people out of the remote access service for a time,” he told Threatpost.

SCADA security experts have warned that SCADA software makers like Siemens have been slow to respond to glaring software vulnerabilities and other design flaws in their software. Writing in June, Ralph Langner, an independent SCADA security researcher, warned that critical vulnerabilities remain in Windows-based management applications and software used to directly manage industrial controllers by Siemens Inc., including WinCC.

Speaking to Threatpost, pr0f said that there is plenty of blame to spread around. Siemens struggles with product security are well documented. At the same time, pr0f said he worked with a SCADA researcher to relay some of the vulnerabilities he had found to DHS and ICS-CERT, without any response. DHS recently said it is re-evaluating whether it will continue to warn the public about all the security failings of industrial control and SCADA systems.

“I imagine the people responsible for that system are feeling the lash of His Master’s Voice right now, when it’s whoever was outsourced to install the damn thing in the first place that should be taking the flak,” he wrote.

South Houston officials responded to the incident promptly after learning of the breach, pulling the affected systems offline and changing the default password within hours, but earlier audits of the SCADA deployment could have caught such a glaring hole, pr0f claimed.

“Really, the issue is these systems are ancient and never get upgraded,” pr0f wrote.

Suggested articles


  • Anonymous on

    I can't help wondering if our benevolant cyber sleuth blew past any "AUTHORIZED OFFICIAL USE ONLY" banners/messages during his recent quest...

  • Anonymous on

    Well since it was a 3 letter password it can't have been the common one: "pcs7*"...

  • Stranger on

    Most likely it was HMI or PLC

  • Anonymous on

    Given the ancient nature of many SCADA systems,and the slow growth of security skill in the utilities enviornment  (which there is NO EXCUSE for given the risk) why these  short-sighted individuals connect their operations LAN to the Corporate LAN is stupid if not criminal.


    Wish they had a hammer like PCI for  Public utilities;  loosing money is one thing but failure of power, gas, water (especially in the winter) should bring arrests.

  • Anonymous on

    We end users in Industry need to take more ownership and refrain from throwing vendors under the bus. Siemens clearly spells out changing the default password in bold letters in their set up guide and discusses two factor authentication.

    The password "---" and all web permissions are set by default for the user entitled "Administrator". Change this default password during commissioning to suit your requirements.
    permissions. If necessary, you can protect the Control Panel against unauthorized access.


    So it's like setting up a Linksys wireless router at home and never changing the default, that's not Linksys's fault NOR is it Siemens!!

  • Anonymous on

    Been there, done that,..when I finished, I removed ALL wiring that allowed internet messing with the PLC's settings or software!!!!! There should be criminal liabilities for leaving a system open to net hacking. One MUST be on-site to make changes.

  • Anonymous on

    How many Banks have there vault door combinations  connected to the net? Is our infrastructure any less valuable?

  • Anonymous on

    I have left a seperate Windows based computer monitoring processes to be accessed from the web. It had NO wiring to the PLC's to allow for hacking. Hey, an idea, could I leave that online puter in a state to where a hacker thinks he is doing something so to make it easier to track them??? Got to think on that one.

  • Anonymous on

    Similar thoughts are posted in the comments at this link:  https://www.infosecisland.com/blogview/18281-ICS-Cybersecurity-Water-Water-Everywhere.html

  • Anonymous on

    Honey pot, clever...


  • Anonymous on

    So... If this is Billy Rios' exploit and he was the only one who was aware of the three character password and then it was used before the information was public, is Rios actually pr0f? Interesting...

  • abubbleshooter.info on

    Excellent story, I am going to bookmark this.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.