back to article Finland a haven for vulnerable SCADA systems

Security researchers in Finland have turned up thousands of unsecured Internet-facing SCADA systems in that country, using the Shodan search engine. The researchers, from Aalto University, ran their test in January, and found 2,915 exposed systems running functions from building automation to transport and water supply. Those …

COMMENTS

This topic is closed for new posts.
  1. Lars Silver badge
    IT Angle

    The problem with Finns

    is that they are rather honest and expect other people to be honest too. Not such a good idea always, still I would add some stupidity to this too, trying to stick to the IT angle.

  2. Christian Berger

    Well that problem will soon be solved

    Just google for "SCADA in the cloud" and yes, that's a real thing, and yes it will be implemented by people knowing less about security than an MSCE in the 1990s.There is also talk about using WLAN for such applications.

    If we could just get SCADA security up to the level of non Win/Mac desktop security, we simply wouldn't have those problems. SCADA systems currently are hard enough to get running at all (ever gotten DCOM to run?) people rarely bother with security, as security means that there's another thing that can make it fail.

    1. Chris Miller

      Re: Well that problem will soon be solved

      True - unfortunately, lack of security is another thing that can make it fail, as well.

    2. John Smith 19 Gold badge
      Unhappy

      Re: Well that problem will soon be solved

      "SCADA systems currently are hard enough to get running at all (ever gotten DCOM to run?)"

      I'd rather it not be installed in the first place.

      1. Christian Berger

        Re: Well that problem will soon be solved

        "I'd rather it not be installed in the first place."

        Well DCOM is the backbone of many industrial automation systems. It's the base of OPC and is even used by some standards like PROFINET which combine DCOM with raw Ethernet packets... doing the signaling in DCOM and the data in raw packets, because... well... I'm glad I don't have to work in that are.

        The big problem is that those people don't understand what they are doing. They have no idea why DCOM could be a bad idea. They have no idea why some complex standards like OPC-UA (using encrypted XML over SOAP with lots of complexity added in for what is essentially a pimped up key value store with messaging features) are a bad idea.

    3. Anonymous Coward
      Anonymous Coward

      Re: Well that problem will soon be solved

      how about security cameras over wlan?

      Anon, because $orkplace security people have just done exactly that - and not just a couple of the things.

      1. Christian Berger

        Re: Well that problem will soon be solved

        Well it depends. There's currently a push for WLAN systems for industrial control. Done right this can be sensible and good.

        Imagine you had security cameras sending their pictures via scp with public key authentication or some similar scheme WLAN is not much of a problem.

        If you however have simple webserver based solutions without proper authentication, it is. You should always treat you LAN and your WLAN in particular as an insecure network which may break and be intercepted.

        So if you have WLAN cameras which watch over an outside area which can be seen from the fence anyhow, this probably isn't much of a problem.

  3. teebie
    Coat

    "I lost thousands because your bank didn't secure their systems" "suomi"

    (It's funny because 'suomi' is Finnish for Finnish, and sound a bit like 'sue me'. No? I'll obey the icon.)

  4. Euripides Pants
    Thumb Up

    Something the translating is gained lost

    The Google translation is a hoot.

    "Automation systems are controlled by many of society's critical infrastructure in transport supply of water."

  5. John Smith 19 Gold badge
    Coat

    The danger with this should be obvious

    All their data could disappear into Finn air.

  6. Charles Manning

    Responded to http != insecure

    My bank's website responds to http, yet it is pretty secure. You need to go deeper than that to really know if it is vulnerable.

    However, it is good policy to run SCADA on a private betwork. If it has to go remote then use VPN.

This topic is closed for new posts.

Other stories you might like