A stray artifact in a TLS certificate led security researchers to an unnerving discovery: hundreds of control-room dashboards for US water utilities were sitting a click away from the public internet, and dozens of them offered full, no-password control over pumps, valves and chemical feeds.
The trail started last October, when the research team at Censys ran a routine scan of industrial-control hosts and noticed certificates with the word “SCADA” embedded. That label, short for Supervisory Control and Data Acquisition, is typically associated with monitoring systems in industrial control environments. Censys found the same certificate distinguished name (DN) across several instances of the uncommon browser-based HMI platform.
[...]
Misconfigured HMIs Expose US Water Systems to Anyone With a Browser
Misconfigured HMIs Expose US Water Systems to Anyone With a Browser
-
rbc
- Secretary
- Posts: 381
- Joined: Mon Oct 30, 2023 1:32 am
- Location: Vicksburg, MS
- ISC2 Member Status: Yes
- Contact:
Misconfigured HMIs Expose US Water Systems to Anyone With a Browser
Robert B. Carleton + ISC2 Central Mississippi Secretary