- Tools & Templates
- Security Jobs
- Data Protection
- Identity & Access
- Business Continuity
- Physical Security
- Security Leadership
SCADA and phpMyAdmin: A match made in hell
In a Naked Security blog post, he writes of how he got the creeps when learning that many SCADA systems are using it.
It has been reported that a SCADA systems failure at a municipal water processing plant may have been caused by hackers infiltrating their network.
The attackers were repeatedly turning a pump on and off until it caused the pump to fail, raising an alert to the operators.
Upon investigation they determined that attackers may have infiltrated the system starting in September 2011, although the attack wasn't discovered until November 8th, 2011.
The notice about the attack noted that it was similar to an attack against the Massachusetts Institute of Technology earlier this year which exploited bugs in the open source software phpMyAdmin.
Reading about this my spidey-sense was tingling... What? They have SCADA control systems hooked up to the public internet? And they are running phpMyAdmin!?!?
I run a reasonably low profile, small website for myself and some friends and at one point had installed phpMyAdmin to assist them with daily SQL management chores.
I removed it four years ago after a never ending stream of severe vulnerabilities made it too risky for my *play* site.
According the the National Vulnerability Database phpMyAdmin has at least 105 reported security vulnerabilities.
It would appear it is common practice these days to connect these sensitive critical infrastructure systems to the public internet and use COTS (Common Off The Shelf) software to manage them.
Convenience and price are always desirable to those responsible for managing these systems, but this is bordering on criminally negligent when you are responsible for our water, power, gas and other sensitive utilities.
He's right, of course.
Hopefully, the incidents of last week will light a fire under those responsible for managing these complex, critical infrastructure networks.
Doing away with the use of phpMyAdmin is probably an excellent place to start.
CSO's Daily Dashboard gives you a one-stop view of latest business threats. We created it for you! Bookmark it! Use it!
Thanks to cloud computing, your business data is everywhere and being accessed by everyone. Making the wrong decision to protect your data can result in high costs, increased risk and executive exposure. View this live webinar on cloud security and the evolving data center, and learn why a data-centric approach to security is the best bet for today's virtual environment.