But it is a lot more complex than the mainstream press would have you believe. That story above is effectively about researchers using a specialised search engine to find what is effectively the login banner of SCADA systems … that is those systems that control utilities such as sewage plants, power systems, etc. What is not so widely publicised is that the same researchers warned about these insecurities as far back as 2010, so the latest warning by the US government is a bit lackadaisical.
On the other hand the discovery of what is effectively login banners is just that – login banners. Whilst this is pretty poor practice, it does not necessarily mean that the bad guys can get into the relevant systems. Attaching critical systems directly to the Internet is something that really should not be done, but is often done because :-
- It has probably long been the practice to attach such systems up in such a way that work can be carried out from home. In the past, it would have been via a dial up modem. Making such systems available on the Internet makes such insecurity more visible, although dial up modems themselves are not necessarily secure.
- Attaching the systems directly to the Internet is the kind of laziness that comes from a desire for convenience. Only services that everyone on the Internet can legitimately make use of should be directly on the Internet. Attaching “work from home” services should be done via some sort of gateway service, such as a VPN system, but that requires more work.
- On occasions, such systems are connected directly to the Internet in an emergency for convenience – such as getting a vendor to look at some problem. And of course once connected, it tends to stay connected. Amazingly enough, it often seems that the customer needs to jump through hoops for the convenience of a vendor rather than the other way around.
Of course gateway systems themselves can be vulnerable especially given the problems we have with weak passwords.
Earlier I mentioned that just because a SCADA system can be reached from the Internet does not mean a bad guy can break into it to cause damage. Well, that is true enough but most experts think that SCADA systems are riddled with security issues including default passwords left unchanged, etc. Pehaps as poor as the Internet was back in the early 1990s.
It is a strange thing, but it seems that vendors who sell us stuff do not seem to pay much attention to security until bad guys start attacking them and exposing their vulnerabilities.
So we have a situation where SCADA systems are directly connected to the Internet, and many of those SCADA systems are vulnerable in some way. Does this mean that bad guys are going to break in and destroy the utilities ?
Well, perhaps. But on previous occasions, the bad guys have broken in just to look around. As someone remarked to me recently, the bad guys are busy making money and unless they see a way to make money from insecure SCADA systems they will leave alone. Of course there is always the issue of cyber-terrorism where the bad guys are less interested in money and more in making a point of some kind or another.
But should you worry about the security of SCADA systems? Probably not. After all, why worry about something you have no power over? Should I worry about the security of SCADA systems – definitely (as you may have guessed my work involves security). Anyone in the information security business should be looking at their own SCADA systems and wondering whether they are protected properly.