This doesn't surprise me AT ALL. You guys wouldn't believe some of the stuff I've seen out there. Work in the industrial automation field is largely done by individuals/companies called System Integrators. Integrators are cowboys and most of the industry is an unregulated wild-west. There is a pervasive "git-er-done" attitude; nothing else matters, security included.
(I'm a developer at one of the smaller SCADA software companies.)
Indeed, while our politicians bloviate about 'terrorism' and how safe they're keeping us, this is the reality. Notable that this occurred in Texas, where the legislature would be as likely consult Jesus about the incident as a security expert. I honestly have to wonder whether our society will be going down in flames soon due to the odd combination of reliance upon and willful, resentful ignorance of knowledge that is being promoted in public culture.
Just sit in on a discussion of the business case of a new technology. "This is where the future is, we need to be where consumers/customers are, everything must be digital." So they spend $3m on a new "social" or "cloud" platform, then say "oh yeah, we don't have the budget for security monitoring or personnel to cover this platform. Roll it out anyway."
Amen to that. I do some work on the network side of control systems—and default passwords (or no passwords) are rampant, and often recommended under manufacturer guidelines. The last part there is the more worrisome.
Business phone systems are the same. Most manufactures only allow a 4 char password. Now phone systems are being hack left and right; "hackers" (more like organized crime) selling carrier service and the company gets the bill.
It doesn't surprise me at all either. SCADA systems invariably seem to be ancient museum pieces pressed into service out of necessity and kept in service out of inertia.
The kind of shit I've seen in SCADA comms rooms blows my mind -- bare, homebrew breadboards screwed into 19" racks; SparcStations caked with dirt and grime; passwd files containing active accounts for people who are now dead.
The only thing I find surprising about any of this is that it doesn't happen every single day.
Well, just so you know, it's not limited to your industry. The "You guys wouldn't believe some of the stuff I've seen out there" is almost instulting given what I have seen. I guess it's just anybody out there who's been in contact the real world who can say that.
The big industrial automation and SCADA companies all provide some level of application engineering/system integration services. But, it's only practical to do the integration work in-house for large (millions of dollars in revenue annually or tens of millions of dollars in revenue one time) customers. Managing thousands of local teams of integrators all over the world to take on smaller jobs would be prohibitively expensive.
For smaller, "one-off" jobs, the integration work is done by distributors or by 3rd party integrators. Distributors will often do the integration for free and cover the integration cost and their profit from the discount the manufacturer gives them from list price. Most integrators do fixed-price bids for work, and may also make money from equipment markups. In both cases, there is a lot of incentive to do the minimum possible, especially since the projects tend to be poorly specified.
This is all made worse by the fact that the customers tend to be technically unsophisticated. That makes it hard for them to effectively manage projects, and hard for them to make informed judgements when selecting suppliers. Suppliers are usually picked based on personal relationships with the sales team (manufacturer's or distributor's) and the in-house engineer's familiarity with a given supplier.
Finally, the whole industrial automation industry isn't terribly glamorous. The typical problems being solved on any given job have been solved thousands of times before. The technology is often old and clunky (the most common language is called ladder logic... look it up, it's good for a laugh). Being successful requires a mixture of software, electrical engineering, mechanical engineering, and sales skills. Since most distributors and integrators live almost hand-to-mouth, sales skills tend to be emphasized, even among the engineers. The engineers who are good at sales find they can make more money doing sales. The ones who aren't salesy find there isn't much room for advancement and move on. I'm over-generalizing, but the overall trends don't encourage high-quality software engineering.
Some of the huge guys like Rockwell and Siemens may offer integration services; I'm not 100% sure though.
But I'm guessing it's mostly because system integrators are qualified in a way a software company isn't. The scope of a project that an integrator might take on can be vast and the SCADA software is generally only one piece of the equation.
There is no way to stop people from doing this sort of thing because people are infinitely creative in ways to be dumb. The solution is not to have critical infrastructure controlled over the public internet.
Lack of clean water can cause large amounts of chaos very quickly[1]. Water infrastructure should be something that Governments want to protect.
Given that, and given weird laws about "providing help to terrorists"[2] I'm amazed that someone putting a 3 character password on something so important, and then letting it face the Internet, is not going to see jail time.
[1] See, for example, flooding in Gloucestershire, England, a few years ago. That was troublesome, but only got really bad when a local water treatment plant was flooded.
This is great when the bank only has a few hundred accounts. Sure, it is unlikely to guess a single individual, but a thief probably doesn't care who they steal from.
I just called my bank, to double check, and now 6 character passwords, letters and numbers are allowed, a truly massive improvement!
What i dont understand is now all bank cards in Canada have a smartcard embedded, why cant they just hand out $5 card readers and use that for ebanking, every major browser and OS supports this stuff right out of the box.
If you lock the account, you allow a trivial DoS. If you lock the IP, anyone with a botnet can trivially work around it. And with enough accounts, you can just scan the entire space of (possible) accounts for anyone with a particular PIN.
Every bank I have used will lock the account after a small number of failed attempts; sure it's a DoS, but that's the price you pay. You are right about the botnet work around, but if you have one you can just watch people logging in without needing to brute force anything! The real problem for people who break into bank accounts is where to transfer / spend the money that can't be traced.
Many years ago I worked for a defense contractor who not only had 123abc as the password for a workstation that held secret information and was connected to the internet, but a post-it note with "password: 123abc" was kept on top of a monitor which was visible through a window from a corridor that random members of the public had access to. When I brought this up as possibly a poor security practice the reaction was anger towards me, and then moving the post-it note to the side of the monitor so it would not be visible from the window.
If there actually was Secret level classified information on a system, it is a security infraction that that monitor is visible through a window to the public. That contractor should have been reported to the program Security Officer. Glad the defense contractor I work for takes things a little more seriously.
Sounds like the same school of reactive pseudo-security that gave us the TSA: broken in too many ways to count, patching one particular aspect of the problem when brought up or exploited, completely ignoring the big picture, and getting angry when questioned.
Well, well... In between developing censoring and deep packet inspection infrastructure for Iran and Egypt (in a joint venture with Nokia) and getting their PLC control software rooted by Stuxnet, Siemens makes badly secured SCADA systems for water supplies.
In the US, there was a relatively recent regulation of IT security in the form of Department of Defense Directive 8570. This directive requires IT security folks who work on DoD contracts to have a certification from one of the major certification authorities (think CISSP). Personally I'm not a fan of required certification for a number of reasons, but at least the DoD is trying to improve the quality of contractors working in IT security.
I'm going to say it: if people who work "in the real world" would release this stuff to an organization like the now-dead WikiLeaks or Anonymous, the bad press might put enough fear into a higher-level manager to actually audit their crappy systems for this stuff.
Also I think somebody ought to pass some tougher laws about leaving national infrastructure open to simple attacks. We can start with "3 years in prison for default passwords."
many many years ago, when modems were king, there was a breach similar to the 3 character password, UCB... well, the rest is history. I dont remember the details precisely, probably still can be found on some news or mailing list archives.
Not exactly the vaguest, probably -- a couple of years ago, the pants allusion, you know. Pretty funny & caused quite the stir in the right circles (HTE, etc.).
(I'm a developer at one of the smaller SCADA software companies.)