A number of loyal readers have been sending in examples of vulnerable, Internet accessible control systems. The example below from Patrick Stave of Norway is representative of what we are receiving. In this case, I 100% agree with ICS-CERT that if you have your SCADA or DCS on the Internet, you are facing an increased risk.
Check out Shodan for “NS web interface”.
This is a HMI-panel with remote operation from Omron.
Runs on 1980s Microware OS9 operating system.
Default user details (actually they are difficult to change!):
Only operation mode requires authentication.
All panels where the password has been changed can still be monitored on URL /monitor.htm
Also some of theese can be altered with the engineering software CX-designer over web without authentication (of course a result of port forwarding from the user).
Also the panel can be used as a gateway to connect to the PLC and visa-versa.
Have found several examples of PLCs directly configurable / controlled over internet without authentication.
Patrick then provided some screenshots showing some displays:
British monitoring and water feed control for a hydroelectric power plant. Accessible / controllable / programmable over the Internet, with no password.
A large water/sewage monitoring system for a county. [Read more…]