I have a bit of background I learned from primary sources with direct knowledge of the situation.
First, this dam was not a life safety issue. It was for storm water management. The sluice gate was supposedly out of service at the time. However, even it had been in service, it could have gone up or down all day long and no lives would have been at risk.
Firoozi used a method called ‘Google dorking’, which is a process where an individual uses specific search terms to find online systems. He supposedly was using this method for several months searching for vulnerable U.S. control systems.
Source: CFO Magazine
Second, the people involved were understandably, but profoundly ignorant. They were small town managers who barely understood what SCADA was or how it worked.
Third, the integrator was well known for building wide open, insecure systems. Why? Because security was not in the contract.
This process is not as simple as a normal search; however, anyone with a computer and Internet access can perform this technique. Federal authorities say this method of searching for vulnerable systems is being increasingly used by hackers Worldwide.
Source: Wall Street Journal
The conclusion expressed by the sources was that if hackers in Iran hadn’t done this, someone else almost certainly would have. It was only a matter of time. This facility isn’t critical by anyone’s definition. When spending money on security configuration, training, and so forth, sites like this do not rate as highly as, say, an HMI for a small town’s well system. As such, considering spending and resource limits, sites like this just don’t make it to the top of the list.
There has been discussion on how to rate control systems integrators for security and what criteria to use so that they would have an obligation to go beyond the lightest configuration possible. All that can be done is to document good practices and to encourage vendors to deliver products locked down by default.
