Home Business IT Security Two US water authorities' control systems breached

In the past few days, two separate US-based water authorities appear to have had their control systems breached - one of them has suffered physical damage.

Originally announced via Joe Weiss' ControlGlobal website and expanded in a number of other reports, it seems that some kind of breach into the control (SCADA) system at Curran-Gardner Townships Public Water District near Springfield, Illinois occurred, leading to the burn-out of a water pump.

According to the secret report obtained by Weiss (dated Nov 10th and referring to the discovery of the attack two days earlier), it appears that the site's control system vendor had previously been hacked and various customer usernames and passwords taken.  Although not stated, presumably this gave insight into how to connect to the Curran-Gardner system.

It appears that once having control of the SCADA system, the intruder was able to repeatedly turn the pump on and off, leading to its burn-out (note some reporters have suggested the SCADA system itself was turned on ad off repeatedly; this is a laughable proposition).  Weiss also reports that the site had been (in hindsight) suffering such issues for a couple of months with site workers commonly observing unexplained problems with the system. 

Back tracking the attack led to an IP address located in Russia, although as most researchers know, such attribution is flimsy at best; in fact the perpetrator could have been absolutely anywhere.  The FBI and DHS were reported to have stated that they are "gathering facts surrounding the report of a water pump failure in Springfield Illinois. At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety." 

Really?  A water authority's control system is breached, leading to the destruction of a pump (potentially costing hundreds of thousands of dollars to replace depending on the size of the pump) and you don't believe there's a risk to critical infrastructure?

Let's segue to a second attack by touching on a November 18th PasteBin posting by its perpetrator (who goes by the handle of 'Pr0f'), who posted five screen shots of various pages in the City of South Houston's water management system. 

All images are date-stamped around 12:30pm on November 18th and show five separate realistic-looking control system pages from (according to 'Pr0f') a Siemens SIMATIC control system (example pages from Siemens' website show similarly constructed demonstration pages).

As an aside, this writer has some experience in SCADA systems and would have been very embarrassed regarding the design quality of the pages, had they been mine.  Have a look at them and note for instance how matching elements on similar pages are not properly aligned.

The next day, 'Pr0f' is back again with something of an essay where he offers a tirade against government response to such intrusions.

I don't think I am alone in suggesting that the gravity of the problem is more serious than ICS-Cert and similar are equipped to deal with. I would love to see some real reform and discussions between the government, manufacturers of ICS, and people who use these systems happening, because there seems to be a huge disconnect between the parties involved.

I don't have much of a doubt the FBI will be investigating recent events, and I suspect my future may well contain orange uniforms and bad food, but I feel that there's a serious need to highlight these issues publicly worth all costs. Discussion is needed, but more than that, we need action.

Very few others seem to want to talk about anything from anything other than a theoretical standpoint, and legal systems across the world are attempting to stamp-out proactive, offensive security, under the misguided belief that this will somehow deter people from attacking systems.

(It won't.)

I couldn't have said it better myself.

'Pr0f' also offers a call-out to "The City of South Houston, Texas, for dealing with the highlighted security issue quickly professionally, and noting that I did indeed cause no damage."

A local Houston news outlet reported that the local Mayor confirmed no damage had been done and that the system had "been taken offline" whatever that means.

When it's this simple to get into control systems upon which the lives of millions of people rely, there is something very seriously wrong with the way these systems are configured and with governmental responses to such breaches.

'Pr0f' has been contacted for further response.



Download an in-depth guide to managing a healthy, motivated and energetic workforce without breaking the bank.


David Heath

joomla statistics

David Heath has over 25 years experience in the IT industry, specializing particularly in customer support, security and computer networking. Heath has worked previously as head of IT for The Television Shopping Network, as the network and desktop manager for Armstrong Jones (a major funds management organization) and has consulted into various Australian federal government agencies (including the Department of Immigration and the Australian Bureau of Criminal Intelligence). He has also served on various state, national and international committees for Novell Users International; he was also the organising chairman for the 1994 Novell Users' Conference in Brisbane. Heath is currently employed as an Instructional Designer, building technical training courses for industrial process control systems.






Join the iTWire Community and be part of the latest news, invites to exclusive events, whitepapers and educational materials and oppertunities.
Why do I want to receive this daily update?
  • The latest features from iTWire
  • Free whitepaper downloads
  • Industry opportunities