(Dagbladet): A Scada system for the wastewater in Meath County in Ireland, just north of Dublin, has been available online - only protected with a default user name and password.
Dagbladet has received print screens showing different parts of the Irish system during our work on a series of articles about data security, «Null CTRL» («Zero CTRL»).
We showed the print screens to the owner, Meath County Council. After they looked into the problem, they sent the following comment by e-mail:
- I would like to thank you for making contact. Meath County Council is currently discussing improvements to our Scada system with our external service provider. User accounts have been reviewed with the service provider and some changes have been implemented, writes Administrative Officer Olive Falsey within Corporate Services in Meath County Council.
Monitoring purposes - The Council would also like to say that the SCADA system is for monitoring purposes and hence no remote adjustment of any of our facilities is possible, she writes.
Dagbladet has also shown the print screens to security consultant Eireann Leverett at Ioactive. He says that even though the panel might be a read-only user, this doesn't mean that it is safe.
- Unfortunately, this does not mean it is safe in any sense because it is sometimes possible to escalate privilege in such systems, he says.
Confronted with this, Olive Falsey from Meath County Council writes:
- As stated, Meath Co. Council is working with the service provider to ensure that the system operates in a manner that protects all data.
A familiar problem Using default passwords is problematic because these kind of passwords are easy to guess or find online.
- The use of standard passwords is a familiar problem, it is a huge problem and has been for a very long time, says researcher Niklas Vilhelm at the Norwegian National Security Agency.
- People are expected to change these passwords in order to improve the security of these devices, but a lot of the time people forget that it might be a serious problem if they do not.
Among other things, the journalists found:
• 2500 control systems connected to the Internet with minimal or no security
• 500 of these control industrial or critical infrastructure
• 290 vulnerable control systems, in banks, schools, nursing homes - and a military camp
• 2048 surveillance cameras in private homes, night clubs, shops and restaurants
• Thousands of data bases and servers that give away content without passwords
- Shocking The problem with industrial control systems, or Scada systems, is that they were never meant to be online in the first place, says the man behind Shodan, John Matherly.
- Companies want to connect these systems to the Internet so that they can access data and control the systems from everywhere around the world, which is obviously cheaper than travelling to the different places. But by connecting these systems to the Internet, they ignore the risk, because these systems were never meant to be online, Matherly says.
- So suddenly you have all these devices on the Internet, which where never meant to be there, without any security.
A few years ago, Eireann Leverett located and mapped more than 10,000 industrial control systems on the Internet.
- I think most everyday people people would expect the level of security of these devices to be much, much higher. They would expect that they are rigourlously tested and use strong cryptography and are protected by a firewall. And I think most people would be very shocked to see the state that some of these systems are in, Leverett says.