SCADA System + 3 Character Password = PWNED

Ok, really anything with a 3 character password is going to get compromised, but it being a SCADA system just makes this a bit more insane.  The basics of this is that the city of South Houston made their water control system accessible from the internet and “protected” it with a 3 character password.  Sure enough, someone poked around at it a bit and got access to it.  Could have been messy if an attacker decided to cause some problems.  Can you imagine what it would be like when all the toilets in town suddenly can’t flush because the water is shut down?  Yech!

Toilet Down!

What I suspect happened is that whoever was managing this system just wasn’t thinking about what they were doing.  Maybe they got in a hurry when doing the install and forgot to go back and reset the password.  Or they (incorrectly) decided that since this was an internal system, they didn’t need a good password.  Then later it was decided to allow access to the management interface to the internet.

Either way this whole thing was bad.  It could have been avoided with some basic procedures and controls.  Things like using a reasonable password and not putting any management interface directly online come to mind quickly.  If you really do need remote access to such an interface, then use some kind of VPN to do so.  It doesn’t really take that long to do and is at least a start on performing some due care.

Time for some folks to take a step back, learn some basics and then start trying to fix some stuff.  Aim for good security practices at first, then start worrying about some of the more difficult attacks to defend against.

Link -

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.