Ok, really anything with a 3 character password is going to get compromised, but it being a SCADA system just makes this a bit more insane. Â The basics of this is that the city of South Houston made their water control system accessible from the internet and “protected” it with a 3 character password. Â Sure enough, someone poked around at it a bit and got access to it. Â Could have been messy if an attacker decided to cause some problems. Â Can you imagine what it would be like when all the toilets in town suddenly can’t flush because the water is shut down? Â Yech!
What I suspect happened is that whoever was managing this system just wasn’t thinking about what they were doing. Â Maybe they got in a hurry when doing the install and forgot to go back and reset the password. Â Or they (incorrectly) decided that since this was an internal system, they didn’t need a good password. Â Then later it was decided to allow access to the management interface to the internet.
Either way this whole thing was bad. Â It could have been avoided with some basic procedures and controls. Â Things like using a reasonable password and not putting any management interface directly online come to mind quickly. Â If you really do need remote access to such an interface, then use some kind of VPN to do so. Â It doesn’t really take that long to do and is at least a start on performing some due care.
Time for some folks to take a step back, learn some basics and then start trying to fix some stuff. Â Aim for good security practices at first, then start worrying about some of the more difficult attacks to defend against.