SCADA Hacking via Search Engines

Thursday, August 4, 2011 @ 04:08 PM gHale

SCADA systems are under the security microscope these days, but the intensity may step up a bit as it is now possible to hack into a system via a search engine.

One operator, while not clicking on any link to avoid breaking the law by accessing a network without authorization, typed in search words in Google and came up with a treasure trove of information during a demo at the Black Hat conference in Las Vegas.

Help Wanted: Government Hackers
Feds Fear New Stuxnet Threats
Web Sites to Find if You’re a Target
Paranoia Means Better Security

Researcher Tom Parker searched for terms associated with a Programmable Logic Controller (PLC). Among the results was one referencing a “RTU pump status” for a Remote Terminal Unit, like those used in water treatment plants and pipelines that appeared to be connected to the Internet. The result also included a password: “1234.”

“You can do a Google search with your Web browser and start operating [circuit] breakers, potentially,” said Parker, chief technology officer at security consultancy FusionX.

Most SCADA protocols do not use encryption or authentication, and they don’t have access control built into them or the device itself, said Jonathan Pollet, fellow presenter and founder of Red Tiger Security. This means when a PLC has a Web server and connects to the Internet, anyone can discover the Internet Protocol address can send commands to the device and the commands will move forward, he said.

“If that RTU or PLC has large motors connected to it, pumping out water or chemicals, the equipment could be turned off,” Pollet said. “If it was a substation and the power recloser switches were closed, we could break it open and create an (electricity) outage for an entire area or city…The bottom line is you could cause physical damage to whatever is connected to that PLC.”

To know exactly what to search for on the Internet, the researchers bought a PLC with an embedded Web server that had an identifying string of characters associated with the hardware and then typed that information into Google, Pollet said.

Earlier this year, Pollet discovered on the Internet a transformer running an electricity substation in the United Kingdom with no password required and notified the utility company. “You could see [circuit] breaker statuses, see the last time it was worked on, the status of the transformer,” he said, doing a quick Google search for the device. “It’s still on the Internet but now they prompt for a password,” he said, finding the link.

Leave a Reply

You must be logged in to post a comment.