Hacked Texan Water Infrastructure Had a 3 Character Password

This doesn't surprise me AT ALL. You guys wouldn't believe some of the stuff I've seen out there. Work in the industrial automation field is largely done by individuals/companies called System Integrators. Integrators are cowboys and most of the industry is an unregulated wild-west. There is a pervasive "git-er-done" attitude; nothing else matters, security included.<p>(I'm a developer at one of the smaller SCADA software companies.)

There is no way to stop people from doing this sort of thing because people are infinitely creative in ways to be dumb. The solution is not to have critical infrastructure controlled over the public internet.

Lack of clean water can cause large amounts of chaos very quickly[1]. Water infrastructure should be something that Governments want to protect.<p>Given that, and given weird laws about "providing help to terrorists"[2] I'm amazed that someone putting a 3 character password on something so important, and then letting it face the Internet, is not going to see jail time.<p>[1] See, for example, flooding in Gloucestershire, England, a few years ago. That was troublesome, but only got really bad when a local water treatment plant was flooded.<p>[2] At least, in the UK.

sounds like my bank, bank of Montreal, they only allow 4 number passwords for their e-banking shit (seriously)

Was the password "H2O"?

Well, well... In between developing censoring and deep packet inspection infrastructure for Iran and Egypt (in a joint venture with Nokia) and getting their PLC control software rooted by Stuxnet, Siemens makes badly secured SCADA systems for water supplies.

this reminds me of the movie hackers.<p>"Yeah but don't forget God. System operators love to use God. It's that whole male ego thing." ;-)

Given that I probably would have put "Hacked" in quotes then.

Does anyone else think that it's only a matter of time before IT security is going to be a regulated industry?

I have always wondered how weak the passwords were on things like this. It is a shame someone even put such a password on there.

I'm going to say it: if people who work "in the real world" would release this stuff to an organization like the now-dead WikiLeaks or Anonymous, the bad press might put enough fear into a higher-level manager to actually audit their crappy systems for this stuff.<p>Also I think somebody ought to pass some tougher laws about leaving national infrastructure open to simple attacks. We can start with "3 years in prison for default passwords."

many many years ago, when modems were king, there was a breach similar to the 3 character password, UCB... well, the rest is history. I dont remember the details precisely, probably still can be found on some news or mailing list archives.