An FBI report seen here details what could be seen as the hacking elite sect of Anonymous, Antisec, using a backdoor to compromise an air-conditioning control system in New Jersey.
This leaves me to the question of how vulnerable the government and private sectors are for these types of compromise of SCADA and building control systems.
Most hack jobs are attempts at ‘low hanging fruit’ or extraction of data. If the players are looking to ‘step it up’, then the heart of the data centers must be considered.
They are all, large and small, requiring the same components:
- HVAC (heat exchange)
- Flame Retardant Systems
- Secondary Power (UPS and generators)
- Physical Controls
- Space and Equipment
This may fall under facilities or IT, or a mixture of both, but a lot is vendor supported so that means controls go out the window.
Default or low strength passwords may be common!
Hardening the systems may be more than authorization credentials. They would have to have email support set up and monitored as well as being secured from the beginning.
Physical penetration, either through the doors or network perimeter, will make the systems more easily probed, understood, controlled and possibly destroyed.
Many scenarios could be thought of but I think messing with the power and the heat exchange are the most dangerous.
An easy is to cut the air and rev the equipment in the room to create more heat.
The humidity can be messed with and air-dried to create shocks and that may make it easier to blow things with a power surge.
Generators could be run at night and emptied. With a power down, the UPS can be viewed and physical access or into the supervisory controls can be inaccessible.
There is a possibility those SMTP alerts were shut or redirected.
I would hope there would not be backdoors in a majority of industrial and building controls but I’ve never had to reset the password on one of them either.
Organization security should not just be big Data and DR but may need to be focused more on some of the basics in the ‘black box’.