Own your local SCADA!

24/08/2007 Written by minor

Doing pen­e­tra­tion tests can bring some­times sur­pris­ing results. But doing pen­e­tra­tion tests on crit­i­cal tar­gets should not bring any sur­pris­ing results. As Forbes few days ago informed, Scott Lunsford was offered to pen­e­trate into nuclear power station.

As owner of the plant claimed, crit­i­cal com­po­nents could not né accessed from the Internet.“It turned out to be one of the eas­i­est pen­e­tra­tion tests I’d ever done,” Lunsford said.

He added: “By the first day, we had pen­e­trated the net­work. Within a week, we were con­trol­ling a nuclear power plant.” Sys­tem was pow­ered by SCADA soft­ware. Ganesh Devara­jan from Tip­ping Point pre­sented at Def­Con his secu­rity research on SCADA sys­tems and pos­si­bil­i­ties to find vul­ner­a­bil­i­ties inside. No doubt this sys­tem is vul­ner­a­ble, because it is not pub­licly avail­able, so there is no pres­sure from users to fix pos­si­ble vul­ner­a­bil­i­ties.

Another fact is, that sys­tem was designed in the time, there was no inter­net con­nec­tion, so this explains, why devel­op­ers were not con­cern­ing about pos­si­ble secu­rity issues.

When con­nect­ing this rev­e­la­tion to fact, that Inter­net is weapon, we come to con­clu­sion, that sin­gle attacker can cause great dam­age affect­ing thou­sands of cit­i­zens. For exam­ple, with one owned SCADA in nuclear power sta­tion you have weapon of mass destruc­tion. Enough, or?