Skip to content

I’net security

The I’net is like a neighborhood with a bunch of teenagers constantly checking the doors and windows to see if they can get into houses and do something to brag about their successes. Seldom is it worse than just trespassing and graffiti but every now and then the behavior can have more important consequences such as identity theft, surveillance, or espionage.

Slashdot describes one such event where a hacker got into a South Houston water and sewer supervisory control and data acquisition (SCADA) systems.

This hit the news as there is a big fear about these ‘teenage hackers’ or foreign espionage agents (take your pick) getting into critical infrastructure to support a terrorist attack and destroy the country.

The problem is that the public utility left the doors with weak locks and did not do anything to secure the property. Since the hackers claim that the password was only 3 characters, some commenters to the Slashdot story speculated the password was “H2o” or similar. Between that and the fact that the SCADA systems had I’net connections, security was rather lame.

As many businesses find out, security tends to fade in employee priorities. Doors tend to get propped open for ease of use, ID badges and keys get loaned out, anomalies are overlooked, …

Banks use two factor access as one example. You enter an ID and then the bank presents you with a page that has a picture or some other custom factor on the page requesting your password. That allows you to make sure you are talking to the bank rather than to some ghost site of a hacker.

The Iran nuclear site was hacked by using physical media. There, the SCADA systems were not on the public network but the operators used USB memory media to transfer files and reports. Like the diamond mine owners discovered, you have to pay very careful attention to what goes in and goes out to prevent losses.

The public utility was lax in its security and it got hacked as a result. The challenge is to not confuse such lax security with appropriate security. It is not that much trouble to have password systems that require keys that are complex enough but not overly so. It is not that much trouble to use access methods that require more than just a password such as biometric authentication. It is not that much trouble to physically isolate critical systems from open data paths.

Post a Comment

You must be logged in to post a comment.