Reports emerged at the end of last week that a SCADA-based water system in the US had been hacked.
The system manufacturer, Applied Control Solutions, did not identify the water utility attacked or the SCADA software vendor compromised, but managing partner Joe Weiss did confirm that "there was damage – the SCADA system was powered on and off, burning out a water pump", according to a blog post.
He also revealed that attackers breached the network and stole customer usernames and passwords. Speaking to CNet, Weiss declined to say where the utility was based, yet a Department of Homeland Security representative in the US later indicated that the facility was located in Springfield, Illinois.
Weiss could not say how the SCADA vendor was breached, but speculated that programmable logic controllers (PLCs) were involved in the attacks as water utilities "are very dependent on PLCs".
He also said the report indicated that the IP address used in the attack was traced to Russia. However, that did not mean that the attack was launched from there.
Chester Wisniewski, senior security advisor at Sophos Canada, said: “The attackers were repeatedly turning a pump on and off until it caused the pump to fail, raising an alert to the operators. Upon investigation they determined that attackers may have infiltrated the system starting in September, although the attack wasn't discovered until 8 November.
“It would appear it is common practice these days to connect these sensitive critical infrastructure systems to the public internet and use common off-the-shelf software to manage them.
“Convenience and price are always desirable to those responsible for managing these systems, but this is bordering on the criminally negligent when you are responsible for our water, power, gas and other sensitive utilities. The Department of Homeland Security needs to do a top-down audit of these systems and mandate that these insecure practices come to an end.”
David Marcus, director of security research at McAfee Labs, said: “Questions I often hear concerning incidents like this range from ‘how easy is it to attack SCADA networks?' to ‘are we going to see more of these types of attacks?'.
“The answers are quite simple. It is really no more difficult to attack a SCADA network or system than it is to attack any other system. It just takes time, certain types of knowledge and dedicated resources for developing the attack – same as any other attack vector or target. The second question is trickier.
"Certainly we may see more SCADA-based or SCADA-focused attacks in the future. Attackers tend to target systems that can be successfully compromised, and recent history has shown that these systems are at least as vulnerable as other types of networked systems. But that isn't really the point. In my mind, the second question often morphs into ‘how do we know they are not already compromised and actively under attack now?'.
“My gut tells me that there is greater targeting and wider compromise than we know about. Why? Again, my instincts tell me that there is a lack of cyber forensics and response procedures at most of these facilities. If you do not have cyber forensic capabilities, it is hard to know if you have a cyber intrusion. Does this mean that I think it is cyber-Armageddon time? No, but it is certainly prudent to evaluate our systems and ask some questions.”
Marcus recommended SCADA network administrators include ‘cyber' in all risk management; set up extensive penetration testing and extensive counter-social engineering training; put a SCADA-specific CERT plan and team in place; network with law enforcement agencies at all levels; and expect to get attacked and take appropriate countermeasures.