Home 零对冲(ZeroHedge)每日HackerNews

与环保署合作以保护暴露的水务人机界面
Working with the EPA to Secure Exposed Water HMIs

原始链接: https://censys.com/blog/turning-off-the-information-flow-working-with-the-epa-to-secure-hundreds-of-exposed-water-hmis

在识别出暴露的水基础设施系统后,团队决定同时联系软件制造商和环保署(EPA),因为以往与运营商的沟通未能成功。虽然制造商的回应不冷不热,但之前与团队就类似问题有过合作的EPA表现出极大的兴趣。2024年10月8日,团队分享了近400个暴露系统的相关数据,包括身份验证状态和位置信息。EPA优先处理300多个完全暴露且未经身份验证的系统,并调动区域办公室进行缓解工作。九天之内,EPA确认已对24%的已识别系统进行了补救。他们还联系了制造商,促使其协助客户。到11月中旬,58%的最脆弱系统得到了保护,制造商也利用此次事件来推广更强的安全措施,例如多因素身份验证。

Here's a short summary of the Hacker News thread: The Hacker News thread discusses a Censys.com article about securing exposed Water HMIs with the EPA. One commenter, katzenversteher, notes that the industrial and SCADA world is often vulnerable due to outdated operating systems (Windows, DOS) and legacy protocols like OPC DA. These systems are often stuck with older versions to support outdated controller engineering software. While isolated, this isn't a problem, but the push for edge computing, machine learning, and predictive maintenance exposes them to risk. Another commenter, oasisbob, criticizes the original article's verbose writing, particularly the section cautioning against assuming widespread security issues are as serious as they appear. They find such writing, verbose and seemingly empty, to be frustrating in the age of AI.
相关文章
原文

Following our discovery and quantification of these interfaces, we knew we needed to take action. Based on our previous attempts to notify operators of improperly exposed systems, we thought it unlikely that the utilities running these systems would respond positively to any outreach from us. Instead, we tried a different approach: we contacted both the software manufacturer and the U.S. Environmental Protection Agency (EPA).

Upon sharing our findings with the manufacturer, we were met with a polite but tepid response. They expressed appreciation, but there was no clear indication action would be taken to remediate the exposures. Vulnerability and exposure notifications are often ineffective, so this wasn’t especially surprising.

It may be obvious why we contacted the manufacturer, but may be less so why we reached out to the EPA directly. During the summer of 2024, we compiled a report on exposed water infrastructure in the U.S., and the EPA was interested and engaged in remediating the exposures. We had experience working with them and knew we shared the same goal of removing sensitive water infrastructure from the internet.

On October 8, 2024, we shared raw data for nearly 400 exposed water systems with the EPA, including IP, port, and likely location of the service, pulled from metadata in the HTTP response's HTML title. Using methods outlined above, we also included indications of whether each host was authenticated, read-only, or entirely unauthenticated. The majority of these systems were fully exposed (read-only) or unauthenticated. Upon receipt, our contacts at the EPA prioritized the more than 300 unauthenticated and fully exposed systems and began engaging the EPA Regions for mitigation assistance.

Nine days later, we received confirmation from the EPA that mitigations were in place for 24% of the systems we notified them about. They also contacted the manufacturer, who began assisting their customers with remediation of the exposures.

In mid-November, roughly a month later, 58% of the read-only and unauthenticated systems had been protected and removed from the public internet. The manufacturer also used this incident as an opportunity to strengthen the security posture of affected utilities by helping implement multifactor authentication and other security best practices.

联系我们 contact @ memedata.com