Home Business IT Security Two US water authorities' control systems breached
×

Warning

JUser: :_load: Unable to load user with ID: 3018

Two US water authorities' control systems breached

  • 22 November 2011
  • Written by 
  • Published in Security

In the past few days, two separate US-based water authorities appear to have had their control systems breached - one of them has suffered physical damage.

Originally announced via Joe Weiss' ControlGlobal website and expanded in a number of other reports, it seems that some kind of breach into the control (SCADA) system at Curran-Gardner Townships Public Water District near Springfield, Illinois occurred, leading to the burn-out of a water pump.

According to the secret report obtained by Weiss (dated Nov 10th and referring to the discovery of the attack two days earlier), it appears that the site's control system vendor had previously been hacked and various customer usernames and passwords taken.  Although not stated, presumably this gave insight into how to connect to the Curran-Gardner system.

It appears that once having control of the SCADA system, the intruder was able to repeatedly turn the pump on and off, leading to its burn-out (note some reporters have suggested the SCADA system itself was turned on ad off repeatedly; this is a laughable proposition).  Weiss also reports that the site had been (in hindsight) suffering such issues for a couple of months with site workers commonly observing unexplained problems with the system. 

Back tracking the attack led to an IP address located in Russia, although as most researchers know, such attribution is flimsy at best; in fact the perpetrator could have been absolutely anywhere.  The FBI and DHS were reported to have stated that they are "gathering facts surrounding the report of a water pump failure in Springfield Illinois. At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety." 

Really?  A water authority's control system is breached, leading to the destruction of a pump (potentially costing hundreds of thousands of dollars to replace depending on the size of the pump) and you don't believe there's a risk to critical infrastructure?

Let's segue to a second attack by touching on a November 18th PasteBin posting by its perpetrator (who goes by the handle of 'Pr0f'), who posted five screen shots of various pages in the City of South Houston's water management system. 


All images are date-stamped around 12:30pm on November 18th and show five separate realistic-looking control system pages from (according to 'Pr0f') a Siemens SIMATIC control system (example pages from Siemens' website show similarly constructed demonstration pages).

As an aside, this writer has some experience in SCADA systems and would have been very embarrassed regarding the design quality of the pages, had they been mine.  Have a look at them and note for instance how matching elements on similar pages are not properly aligned.

The next day, 'Pr0f' is back again with something of an essay where he offers a tirade against government response to such intrusions.

I don't think I am alone in suggesting that the gravity of the problem is more serious than ICS-Cert and similar are equipped to deal with. I would love to see some real reform and discussions between the government, manufacturers of ICS, and people who use these systems happening, because there seems to be a huge disconnect between the parties involved.

I don't have much of a doubt the FBI will be investigating recent events, and I suspect my future may well contain orange uniforms and bad food, but I feel that there's a serious need to highlight these issues publicly worth all costs. Discussion is needed, but more than that, we need action.

Very few others seem to want to talk about anything from anything other than a theoretical standpoint, and legal systems across the world are attempting to stamp-out proactive, offensive security, under the misguided belief that this will somehow deter people from attacking systems.

(It won't.)


I couldn't have said it better myself.

'Pr0f' also offers a call-out to "The City of South Houston, Texas, for dealing with the highlighted security issue quickly professionally, and noting that I did indeed cause no damage."

A local Houston news outlet reported that the local Mayor confirmed no damage had been done and that the system had "been taken offline" whatever that means.

When it's this simple to get into control systems upon which the lives of millions of people rely, there is something very seriously wrong with the way these systems are configured and with governmental responses to such breaches.

'Pr0f' has been contacted for further response.

 

LEARN NBN TRICKS AND TRAPS WITH FREE NBN SURVIVAL GUIDE

Did you know: Key business communication services may not work on the NBN?

Would your office survive without a phone, fax or email?

Avoid disruption and despair for your business.

Learn the NBN tricks and traps with your FREE 10-page NBN Business Survival Guide

The NBN Business Survival Guide answers your key questions:

· When can I get NBN?
· Will my business phones work?
· Will fax & EFTPOS be affected?
· How much will NBN cost?
· When should I start preparing?

DOWNLOAD NOW!