We’ve written before about hapless business owners practically handing hackers customers’ information by failing to observe basic computer security (Subway, we’re looking at you). But this is a security fail on a whole different level. A researcher has just revealed that about ten thousand systems controlling water plants, sewage plants, and other infrastructure are online, mostly unprotected and findable with a simple search.
Manufacturers of such industrial control systems, which can be used to direct everything from a high school’s lighting to power plants, have taken comfort in the fact that they aren’t supposed to be connected to the web, and thus protecting them from hackers isn’t necessary, said Eireann Leverett, the computer science grad student who presented these findings at the S4 conference (we learned of them from Kim Zetter at Wired’s Threat Level). But for whatever reason, in many cases the computers running the control software are in fact networked. Using a search that lets you identify Internet-connected devices, previous researchers have shown that you can find such computers, which is worrisome enough. But this single grad student, working full time for three months and part time for three months, built a tool that finds such systems, identifies their security vulnerabilities, and places them on a map. “[If] a student can put this together, surely a nation state can do it,” he said to the audience.
It’s not clear how many of the systems control things as critical as water or power. But the fact that so many of them are accessible at all is unsettling. The Stuxnet virus, which destroyed centrifuges in Iran’s nuclear program, worked by messing with just this sort of control system.
[via Threat Level]
Image courtesy of boegh / flickr