Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Important SCADA systems secured using weak logins, researchers find

Helps DHS identify 7,200 worst offenders

Article comments

Thousands of critical SCADA systems reachable from the Internet are secured by dangerously weak default passwords, a survey carried out with the help of the US Department of Homeland Security has found.

According to a third-party report, Bob Radvanovsky and Jacob Brodsky of consultancy InfraCritical used scripts run through the Shodan search engine – ‘Google for hackers’ - to identify 7,200 vulnerable logins.

After initially searching 500,000 systems, the pair whittled that list in order to put a number to the problem of vulnerable SCADA interfaces before reporting their findings to the DHS.

“The biggest thing is we are trying to assign a number - a rough magnitude -to a problem plaguing the industry for some time now,” Radvanovsky was quoted as saying.

“Until you identify the scope of a problem, no one takes steps to change things. We’re doing it on a beer budget; we hope others confirm our results.”

The list of SCADA systems included critical infrastructure as well building automation, traffic control and red-light cameras and even crematoriums.

 “A lot of these guys want to fix things at 3 a.m. without driving three hours in each direction. It’s worth a lot to them to put it up on the Net without thinking hard about the potential consequences,” commented Brodsky.

“They’ll presume a particular protocol is not well known. These guys think no one will figure it out, but actually, there’s a lot of residual information available where you could figure it out. They’re not as secure as they think they are.”

The DHS had contacted the controllers of the affected systems, the researchers said, although progress to rectify the dangerous insecurity had yet to be confirmed.

“This highlights a great weakness in critical infrastructure both in the US and beyond: security is still firmly rooted in the 20th century,” said Chris McIntosh, CEO of security specialist ViaSat UK.

“For example, an attack on the energy grid needn't assault hubs of power generation or sub-stations: communications lines, business networks and even smart meters can be viable points of entry.  Incidents could involve manipulating real-time electricity grid management equipment such as transformers and capacitors, resulting in anything up to blackouts of entire regions."

Such systems should always use rigorous authentication and, preferably, and encrypted channel, he said.

“Companies should be working on the assumption that their systems have already been compromised and plan accordingly.”

Nearly a year ago, the Shodan search engine was used by an independent researcher to uncover a major flaw in Trendnet home webcams which could allow an attacker to view private video feeds in realtime.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *