Thousands of Infrastructure Computer Systems are Online, Unprotected

By Veronique Greenwood | January 26, 2012 4:04 pm

spacing is important

We’ve written before about hapless business owners practically handing hackers customers’ information by failing to observe basic computer security (Subway, we’re looking at you). But this is a security fail on a whole different level. A researcher has just revealed that about ten thousand systems controlling water plants, sewage plants, and other infrastructure are online, mostly unprotected and findable with a simple search.

Manufacturers of such industrial control systems, which can be used to direct everything from a high school’s lighting to power plants, have taken comfort in the fact that they aren’t supposed to be connected to the web, and thus protecting them from hackers isn’t necessary, said Eireann Leverett, the computer science grad student who presented these findings at the S4 conference (we learned of them from Kim Zetter at Wired’s Threat Level). But for whatever reason, in many cases the computers running the control software are in fact networked. Using a search that lets you identify Internet-connected devices, previous researchers have shown that you can find such computers, which is worrisome enough. But this single grad student, working full time for three months and part time for three months, built a tool that finds such systems, identifies their security vulnerabilities, and places them on a map. “[If] a student can put this together, surely a nation state can do it,” he said to the audience.

It’s not clear how many of the systems control things as critical as water or power. But the fact that so many of them are accessible at all is unsettling. The Stuxnet virus, which destroyed centrifuges in Iran’s nuclear program, worked by messing with just this sort of control system.

[via Threat Level]

Image courtesy of boegh / flickr

  • Brian Too


  • Iain

    So next time I flush my toilet I might get some nuclear waste showing up?

  • James Harmer

    So the only thing stopping the Iranians having a damn good time with the US electrical supply system, is their ignorance of US power companies incompetence?

  • Chris Winter

    Does anyone remember the Pakistani Brain virus? That was, what — 15 years ago? I wouldn’t count too much on the ignorance of inimical Iranians, or of any other enemies.

  • Chris Winter

    “Thousands of infrastructure computer systems are online unprotected.”

    Clifford Stoll — white courtesy telephone, please.

    Seriously, though, Cliff Stoll has retired from battling hackers, having done his bit. The sad thing is that his message hasn’t sunk in. I’ll bet that many of those systems still have the manufacturer’s default passwords.

  • John Kwok

    I think those operating these systems should not only take a look at Stoll’s work, but also Bruce Sterling’s insightful “The Hacker Crackdown”.

  • Nikademus

    Nothing will be done about this issue, until some thing happens and all/most of these computers are infected. Anyone remember the HUGE black out on the East coast a few years ago, that was an “accident” imagine how much worse it would have been if someone was actually TRYING to screw with out infrastructure… But it is OK, the US government is here to save you by passing ACTA, and taking bribes from MPAA and RIAA to cripple the internet. If the pirates cannot get our oh so valuable music and movies, then we do not need to worry about infrastructure.


Discover's Newsletter

Sign up to get the latest science news delivered weekly right to your inbox!


80beats is DISCOVER's news aggregator, weaving together the choicest tidbits from the best articles covering the day's most compelling topics.

See More

Collapse bottom bar