Important SCADA systems secured using weak logins, researchers find

Helps DHS identify 7,200 worst offenders

Thousands of critical SCADA systems reachable from the Internet are secured by dangerously weak default passwords, a survey carried out with the help of the US Department of Homeland Security has found.

According to a third-party report, Bob Radvanovsky and Jacob Brodsky of consultancy InfraCritical used scripts run through the Shodan search engine - 'Google for hackers' - to identify 7,200 vulnerable logins.

After initially searching 500,000 systems, the pair whittled that list in order to put a number to the problem of vulnerable SCADA interfaces before reporting their findings to the DHS.

"The biggest thing is we are trying to assign a number - a rough magnitude -to a problem plaguing the industry for some time now," Radvanovsky was quoted as saying.

"Until you identify the scope of a problem, no one takes steps to change things. We're doing it on a beer budget; we hope others confirm our results."

The list of SCADA systems included critical infrastructure as well building automation, traffic control and red-light cameras and even crematoriums.

"A lot of these guys want to fix things at 3 a.m. without driving three hours in each direction. It's worth a lot to them to put it up on the Net without thinking hard about the potential consequences," commented Brodsky.

"They'll presume a particular protocol is not well known. These guys think no one will figure it out, but actually, there's a lot of residual information available where you could figure it out. They're not as secure as they think they are."

The DHS had contacted the controllers of the affected systems, the researchers said, although progress to rectify the dangerous insecurity had yet to be confirmed.

"This highlights a great weakness in critical infrastructure both in the US and beyond: security is still firmly rooted in the 20th century," said Chris McIntosh, CEO of security specialist ViaSat UK.

"For example, an attack on the energy grid needn't assault hubs of power generation or sub-stations: communications lines, business networks and even smart meters can be viable points of entry. Incidents could involve manipulating real-time electricity grid management equipment such as transformers and capacitors, resulting in anything up to blackouts of entire regions."

Such systems should always use rigorous authentication and, preferably, and encrypted channel, he said.

"Companies should be working on the assumption that their systems have already been compromised and plan accordingly."

Nearly a year ago, the Shodan search engine was used by an independent researcher to uncover a major flaw in Trendnet home webcams which could allow an attacker to view private video feeds in realtime.

Join the CSO newsletter!

Error: Please check your email address.

Tags Configuration / maintenanceGooglesecurityhardware systemsU.S. Department of Homeland SecurityData Centre

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts