Weak default passwords and other holes in the security of thousands of important SCADA systems completely accessible through the Internet leave the systems totally vulnerable to hacks, US Department of Homeland Security recently reported.
InfraCritical consultants Bob Radvanovsky and Jacob Brodsky, with help from the DHS, have found thousands of devices that could be susceptible to attacks because of simple, easy to crack logins. To reach an estimate of these vulnerable devices, they used scripts to run through Shodan, described as the “Google for hackers.”
As a result, the pair were able to start with 500,000 systems and carve the weak devices down to about 7,200 before reporting their research to the DHS.
Radvanovsky said the pair aimed to reach a concrete number in order to attach magnitude to the problem that may otherwise seem intangible.
“Until you identify the scope of a problem, no one takes steps to change things,” he said. “We’re doing it on a beer budget; we hope others confirm our results.”
At an OWASP Los Angeles presentation in the fall, Information Security researcher Dan Tentler showed just how easy it could be to hack SCADA using Shodan. Passwords for critical infrastructure often remained at default settings, and were even often published.
SCADA systems are pivotal and can include anything from traffic control and red-light cameras to water dams to ice rinks to even crematoriums.
In regard to the ease of breaking into some of these devices, Radvanovsky said: “They’ll presume a particular protocol is not well known. These guys think no one will figure it out, but actually, there’s a lot of residual information available where you could figure it out. They’re not as secure as they think they are.
The DHS has acknowledged the problem and since contacted the controllers of the 7,200 systems, but progress to remediate the situation is abysmal so far.
Ensuring that you have the right security team to protect your data is of utmost importance. If you are looking to fill a senior-level security position, contact Tiro Security and ask to find out more about our Executive Search options.