Sometime last summer, hackers invaded a New Jersey company’s web-accessible heating and air-conditioning systems using a gaping security hole in the system’s supervisory control and data acquisition (SCADA) software.
Ars Technica reports that an IT contractor who works with the business informed F.B.I. agents investigating the breach that controls for the HVAC system were “directly connected to the Internet” and there was no “interposing firewall.”
The backdoor into the controls is found in some versions of the Niagara AX Framework, software that controls similar systems at the Pentagon and the Federal Bureau of Investigation. An F.B.I. memo issued in July said any hacker who found their way into the nameless New Jersey company’s Niagara controls would have been able to learn the same information available to a systems administrator, such as “a floor plan layout of the office, with control fields and feedback for each office and shop area.” The web interface wasn’t even password-protected. Read More