• United States



SCADA and phpMyAdmin: A match made in hell

Nov 21, 20112 mins
Data and Information Security

Sophos Senior Security Advisor Chester Wisniewski wrote an interesting piece on why phpMyAdmin is one of the weakest links in the SCADA security chain.

In a Naked Security blog post, he writes of how he got the creeps when learning that many SCADA systems are using it.

It has been reported that a SCADA systems failure at a municipal water processing plant may have been caused by hackers infiltrating their network.

The attackers were repeatedly turning a pump on and off until it caused the pump to fail, raising an alert to the operators.

Upon investigation they determined that attackers may have infiltrated the system starting in September 2011, although the attack wasn’t discovered until November 8th, 2011.

The notice about the attack noted that it was similar to an attack against the Massachusetts Institute of Technology earlier this year which exploited bugs in the open source software phpMyAdmin.

Reading about this my spidey-sense was tingling… What? They have SCADA control systems hooked up to the public internet? And they are running phpMyAdmin!?!?

I run a reasonably low profile, small website for myself and some friends and at one point had installed phpMyAdmin to assist them with daily SQL management chores.

I removed it four years ago after a never ending stream of severe vulnerabilities made it too risky for my *play* site.

According the the National Vulnerability Database phpMyAdmin has at least 105 reported security vulnerabilities.

It would appear it is common practice these days to connect these sensitive critical infrastructure systems to the public internet and use COTS (Common Off The Shelf) software to manage them.

Convenience and price are always desirable to those responsible for managing these systems, but this is bordering on criminally negligent when you are responsible for our water, power, gas and other sensitive utilities.

He’s right, of course.

Hopefully, the incidents of last week will light a fire under those responsible for managing these complex, critical infrastructure networks.

Doing away with the use of phpMyAdmin is probably an excellent place to start.

–Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a