There is a lot of emphasis on computer security these days. Strong passwords, encryption, the whole nine yards. Apparently no one told a community called South Houston in Texas, USA. According to various confirmed reports, the municipality was using a simple three-character password to protect its Internet-facing SCADA system, which controls water and sewage systems. This system was accessed by a hacker known only as pr0f as a proof of concept. Yikes.
"This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this,” hacker pr0f said in an email. He went on to call the error an example of “gross stupidity.” Pr0f claims to have used a simple port scanner to look for instances of SCADA systems with web interfaces after being angered by the US Department of Homeland Security’s downplay of an earlier unrelated SCADA attack.
This attack was carried out more as a wake up call, but attackers could do serious damage to utilities. Pr0f is likely far from the only person scanning for these vulnerabilities, but the others are probably more malicious. Let’s hope that cities take a long hard look at their security practices.