Ok, really anything with a 3 character password is going to get compromised, but it being a SCADA system just makes this a bit more insane.  The basics of this is that the city of South Houston made their water control system accessible from the internet and “protected” it with a 3 character password.  Sure enough, someone poked around at it a bit and got access to it.  Could have been messy if an attacker decided to cause some problems.  Can you imagine what it would be like when all the toilets in town suddenly can’t flush because the water is shut down?  Yech!

What I suspect happened is that whoever was managing this system just wasn’t thinking about what they were doing.  Maybe they got in a hurry when doing the install and forgot to go back and reset the password.  Or they (incorrectly) decided that since this was an internal system, they didn’t need a good password.  Then later it was decided to allow access to the management interface to the internet.

Either way this whole thing was bad.  It could have been avoided with some basic procedures and controls.  Things like using a reasonable password and not putting any management interface directly online come to mind quickly.  If you really do need remote access to such an interface, then use some kind of VPN to do so.  It doesn’t really take that long to do and is at least a start on performing some due care.

Time for some folks to take a step back, learn some basics and then start trying to fix some stuff.  Aim for good security practices at first, then start worrying about some of the more difficult attacks to defend against.

Link - https://threatpost.com/en_us/blogs/hacker-says-texas-town-used-three-digit-password-secure-internet-facing-scada-system-112011