14 DAY TRIAL // Security experts warn that some companies fail to properly secure their SCADA systems and leave them accessible from the Internet. Some control interfaces have even been indexed by Google.
During a Black Hat USA workshop entitled "Building, Attacking And Defending SCADA Systems in the Age of Stuxnet," FusionX CTO Tom Parker showed how searching for particular strings in Google can be used to locate insecure programmable logic controllers (PLCs).
PLCs are the building blocks of supervisory control and data acquisition (SCADA) systems. They are programmed to control industrial equipment according to specified parameters or received commands.
According to CNET, Parker's Google search query returned a link to the web interface of a Remote Terminal Unit (RTU) usually found in water treatment plants. The entry also listed "1234" as password.
Meanwhile, co-presenter Jonathan Pollet, founder and principal consultant at Red Tiger Security, said that earlier this year he located an unprotected ABB transformer running an electricity substation in the United Kingdom using the same method.
"This shouldn't even be on the Internet. It's an active substation," the security expert said. He contacted the company that owns the transformer and while it started requiring a password, the control interface can still be found in Google.
According to Pollet, the problem is that SCADA communication protocols have not been designed with encryption and strong access controls in mind, mainly because at that time it wasn't assumed that SCADA equipment will be connected to the Internet.
However, in order to cut down costs and simplify maintenance, companies have enabled remote access without changing the protocols. The best way to securely achieve this would be through network segmentation with secure authentication required for each segment.
SCADA security is a topic that has increasingly captured researchers' attention since the Stuxnet industrial sabotage malware was discovered last year.