Editor’s Note: This is an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.
By Eric Byres
There was a cyber attack reported on the water SCADA system at the Curran-Gardner Township Public Water District, in Illinois. Now, it seems like a second water utility suffered from a hack attack. This time in the City of South Houston.
The incident first came to light in an Illinois state cyber fusion notice dated Nov. 10 and then security researcher Joe Weiss filed a blog on the event and shared some information with Wired Magazine and KrebsOnSecurity:
“Sometime during the day of Nov. 8, 2011, a water district employee noticed problems with a SCADA system. An information technology service and repair company checked the computer logs of the SCADA system and determined the system had been remotely hacked into from an Internet provider address located in Russia…
“Over a period of 2-3 months, minor glitches have been observed in remote access to the water district’s SCADA system. Recently, the SCADA system would power on and off, resulting in the burnout of a water pump.”
One thought is the attackers breached the IT systems of the company that either manages or makes the SCADA systems used at Curran-Gardner and stole customer usernames and passwords. The attackers then used this information to infiltrate the Curran-Gardner SCADA system.
The ink wasn’t dry on the news of the first attack when a hacker using the name “pr0f” or “@pr0f_srs” published information of a successful penetration of the South Houston Water Utility. This attacker used an unrelated technique to gain access to the water utility and then posted several screenshots of the control system on PasteBin.
Pr0f makes it very clear that his was not a malicious attack, only a proof-of-concept to show SCADA systems are very insecure:
“I dislike, immensely, how the DHS tend to downplay how absolutely (expletive deleted) the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done. So, y’know … the city of South Houston has a really insecure system. Wanna see? I know ya do.
“I’m not going to expose the details of the box. No damage was done to any of the machinery; I don’t really like mindless vandalism. It’s stupid and silly.
“On the other hand, so is connecting interfaces to your SCADA machinery to the Internet. I wouldn’t even call this a hack, either, just to say. This required almost no skill and could be reproduced by a two year old with a basic knowledge of Simatic.”
Pr0f then wrote a second, very articulate article on PasteBin explaining why he did the attack. Pr0f makes some good points:
“It’s not as grim and war-like as the media are making it out to be, at all. ‘Cyber war’ and all of that is little more than hype, and I’d like to address that in a moment. But it is a sign that the security-poor institutional culture in automation needs changing, and needs changing fast…
“I would like to go on record and say that the main reason I did what I (did) yesterday was essentially because I know I am not the only person with an interest in these systems. I also know I am not the only person who has explored them and read up on them. However, at least I am going public(ish) and trying to draw attention to the topic…
“I don’t think I am alone in suggesting that the gravity of the problem is more serious than ICS-CERT and similar are equipped to deal with. I would love to see some real reform and discussions between the government, manufacturers of ICS, and people who use these systems happening, because there seems to be a huge disconnect between the parties involved.”
The sad fact is quite a few companies and industries are still not taking security seriously. Even these two incidents probably won’t be enough of a wakeup call for most companies. I hope it won’t take a disaster to get the SCADA users, vendors and government moving toward making our critical infrastructures more robust and secure.
Eric Byres is chief technology officer at Byres Security. Click here to read the full version of the Practical SCADA Security blog.