Foreign hackers broke into Illinois water plant control system, industry expert says

Originally posted by Fractured.Facade
If they can damage a water pump in this case, imagine what they could do if they could hack into critical control systems in a nuclear power plant.

To the best of my knowledge, no nuclear power plants in the US use SCADA for control of any safety related systems. Monitoring yes, but not control.

reply to post by SirMike


You'd be surprised to learn how many ancillary and redundant systems are vulnerable, and can be compromised, creating scenarios that can lead to a cascade of failures that can ultimately impact more critical systems.

Don't fall for the false sense of security here.

Cyberwarfare is becoming far more elaborate, sophisticated and ultimately effective than the general populous are aware of.

Fukushima is not the only reason why so many nations are wanting to move away from nuclear power.

Even US defense networks have been compromised by an infected laptop, and it led to very serious breaches of security including classified materials, data etc..

But hey, this was just a random attack on a water pump... No worries here.

reply to post by Fractured.Facade


A hack on a non safety related system at a nuclear plant would not, by its very definition, cause an issue on a safety related system ... hence the designation.

reply to post by SirMike


Yeah, okay... If you're good with that so am I.

reply to post by Fractured.Facade


Don't get me wrong.. this was no random thing. that fact can be inferred from the choice of target reported.

However, it defies logic that we would "require" an Internet-based control grid for national infrastructure.

That seems highly irresponsible.

Would you feel safe travelling by air if you knew that plane and air traffic control systems could be accessed via the internet?

Why would our potable water systems require less security?

I think our 'experts' need to focus less on Viacom rights to profit on 1980's hit single video clips on YouTube; and bit more focus on security that deals with life and death issues, like water and power..

But that's just me, I guess.

reply to post by Fractured.Facade


Well, its agreed then.

I work in the power industry and have a decent handle on how these things work. See, here’s the thing, if you are going to make a statement like that and be so certain about it, please offer up a mechanism for it to occur. If you have a specific example of how a hack could cause a failure in a non-safety related system, I am all ears … seriously.

reply to post by Maxmars


You don't necessarily need an internet connection.

In the case of the U.S. defense networks that were severely compromised by a "smart worm" that could go dormant and then active and retrieve and relay data, communications etc., was initially installed in a defense laptop in the ME via a thumb-drive, many years ago.

It is all about where vulnerabilities exist in ANY system, and how to access it .... and then?

reply to post by Maxmars

For those who do not know, 747's are big flying Unix hosts. At the time, the engine management system on this particular airline was Solaris based. The patching was well behind and they used telnet as SSH broke the menus and the budget did not extend to fixing this. The engineers could actually access the engine management system of a 747 in route. If issues are noted, they can re-tune the engine in air.

gse-compliance.blogspot.com...

reply to post by aivlas


HOLY BLEEP BATMAN thats worring.

As an IT engineer i can say that linking things that dont need to be on the internet, to it anyway for easy access - well some things just sound be at all.

Water mains, gas mains, tax records, tax info bank info etc should never be available outside of those premisis, i do not care if the guy in charge gets more flexitime or whatever working from home - its just asking for trouble.

engine adjustments via com link to flying craft is the most daft thing i ever heard EVER. why even have a blooody pilot, right?

remotely flying a 747 from the ground seems not only plausible...but very possible....just one more reason to the list of why i won't set foot on a plane, again.

)reply to post by aivlas


More from your source...

In 2000 I contracted to the Sydney Olympic authority. To make the Olympics run smoothly, they NSW government officials decided to connect control systems into a central head-quarters. We linked: Traffic systems

Rail systems

Water systems

Power systems

Emergency response systems / Police

Sewerage systems

That was only the tip of the iceberg. The rail systems had been connected to report on rail movements. They used a Java class file that was set to read the signals devices. The class was not protected, but the read only status was considered sufficient (despite protests to the contrary).

Once the Olympics ended, so did any funds to maintain the system. Nothing was done to remove the inter-connectivity, it was considered valuable, but like all systems that are not maintained, it has slowly become less and less secure.

These network remain connected even now, though many of the people involved in setting them up have left. In fact, many of these networks are not even documented and known by the current people in the various departments.

Some of the systems are running on Windows 98, not XP, 98.

Nearly all SCADA systems are online. The addition of a simple NAT device is NOT a control. Most of these systems are horribly patches and some run DOS, Win 95, Win 98 and even old Unixs. Some are on outdated versions of VMS. One I know of is on a Cray and another is on a PDP-11. The last of these has an issue as they do not believe it will ever restart if it goes down. So that PDP-11 is not touched. We scanned a system at that network a couple years back and it crashed, the answer was that we could not ever ping the PDP-11 as it was thought it could also crash.

The were scared that a ping would bring an entire system down?

Brilliant...


Regarding the OP, a report @ MSNBC has some'interesting and disturbing additions.

The attackers obtained access to the network of a water utility in a rural community west of the state capital Springfield with credentials stolen from a company that makes software used to control industrial systems, according to the account obtained by Weiss. It did not explain the motive of the attackers.

First off, one would hope that companies that provide support to civic utilities would secure those crecentials a bit better, but it looks like that has not been the case in this case. Secondly, I would propose that their motive is as simple as proof-of-concept. That is, "can t be done?" They could also be looking to see what the response is and use that to determine how further attacks should proceed.

"Many (SCADA systems) are old and vulnerable," said Kass. "There are no financial incentives for the utility owners to replace and secure these systems and the costs would be high."

U.S. Rep Jim Lanvevin, a Democrat from Rhode Island,said that the report of the attack highlighted the need to pass legislation to improve cyber security of the U.S. critical infrastructure.

"The stakes are too high for us to fail, and our citizens will be the ones to suffer the consequences of our inaction," he said in a statement.

"...no financial incentives..."

I mean, the safety and security of these systems isn't important enough to spend the requisite funds on them for the updates.

Unless they can "...pass legislation to improve cybersecurity..."

Which to me, every time I think of congress passing lktegislation, I think of them writing checks with my money (providing facial incentives to companies) to grease another palm.

"The stakes are too high..." reminds me a bit of "too big to fail"

reply to post by jcord


You're absolutely right.

In fact, when the government agencies that wanted this first proposed it, their own IT departments and computer hackers told them that it would be a horrible idea. It would make US infrastructure way too vulnerable to cyber attack.

When the "criminal" hackers tell you something like this, you should probably listen.

FIRESALE

anyone?

Update:

"This is arguably the first case where we have had a hack of critical infrastructure from outside the United States that caused damage," Applied Control Solutions managing partner Joseph Weiss told AFP.

"That is what is so big about this," he continued. "They could have done anything because they had access to the master station."

The Illinois Statewide Terrorism and Intelligence Center disclosed the cyber assault on a public water facility outside the city of Springfield last week but attackers gained access to the system months earlier, Weiss said.

The network breach was exposed after cyber intruders burned out a pump.

"No one realized the hackers were in there until they started turning on and off the pump," according to Weiss.

Had unrestricted, unobserved access for months.

"We don't know how many other SCADA systems have been compromised because they don't really have cyber forensics," said Weiss, who is based in California.

This fills me with lots of confidence.

For the sarcasm impaired, y previous statement was, indeed, tongue in cheek.

Word also circulated on Friday that a water supply network in Texas might have been breached in a cyber attack, according to McAfee Labs security research director David Marcus.

"My gut tells me that there is greater targeting and wider compromise than we know about," Marcus said in a blog post.

Article @ physorg

And then there is this:

Meanwhile, a hacker has told the tech website CNET he hacked into a South Houston water utility to show it can easily be done, after officials downplayed the Illinois cyber attack.

The hacker, using the alias ''pr0f'', said he has hacked other SCADA systems, too.

Then he provided screenshots of what looked like diagrams of water and waste water treatment facilities in South Houston, Texas.

Asked how he broke into systems, pr0f said: ''As for how I did it, it's usually a combination of poor configuration of services, bad password choice and no restrictions on who can access the interfaces.''

Sydney Morning Herald

What idiot allowed for connection of the water supply to a public based network. Some people are seriously braindead or was public access allowed on purpose?

reply to post by jadedANDcynical


Thanks for the update

I once saw an unprotected .ica file floating on the net. Was quite a long time ago. It was some form of computer system controlling a few US highway signs. And if I remember correctly it was not protected by a password. Not quite SCADA, or nuclear power plant, but still shows that the worst security bug is a lax administrator thinking that no one could touch his Ubersystem. (Also Google file search is quite handy) I'm saying this just to show that one doesn't need a virus to control a computer online. In my humble opinion critical computer systems should never be connected to the Internet.

Considering the water plant case. In Russian Mass media they portray this as Russians hacking the water system. Two questions spring to mind. Just my two kopeks follows.

1.) Why weren't the banks, or ATMs hacked? - Russian hackers are known for their delight in taking "American monies" (Half--joke) no point in doing some water systems.

2.) Why would Russian Mass media portray it as a Russian hacker attack, when the US discusses military strikes against cybercrime (They broke our cow watering pumps! Tomahawk 'em! Yihaaa! ) - Not very subtle of them. The wisest thing would lay low and blame someone else.

Originally posted by jcord
reply to post by Corruption Exposed

 

There is no good reason for having SCADA or industrial control systems accessible through the Internet. This has happened way more than the public knows and has cost billions.
.

edit on 18-11-2011 by jcord because: (no reason given)

This is why I'm always arguing with sales reps when looking into new equipment. None of my systems even have monitoring access to the internet.

This topic needs to get far more attention around here because this is exactly the type of thing that we have been warned about and we have been told to prepare for by FEMA, DHS etc. NASA recently issued action plans for its workers to follow in the event of any variety of situations. etc etc.

This is bad news and just illustrates how vulnerable our infrastructure really is.

Word also circulated on Friday that a water supply network in Texas might have been breached in a cyber attack, according to McAfee Labs security research director David Marcus.

"My gut tells me that there is greater targeting and wider compromise than we know about," Marcus said in a blog post.

"Does this mean that I think it is cyber-Armageddon time?" Marcus continued. "No, but it is certainly prudent to evaluate our systems and ask some questions."

www.breitbart.com...

blogs.mcafee.com...

reply to post by jibeho


It definitely is an important topic. If you're interested here is a thread by another member that describes this type of attack in more detail.

SCADA Hacking Revisited

reply to post by jibeho


You are indeed correct about the need for this to be higher on the radar I expected this thread to shoot to the front page quickly, but it has barely raised a blip on the radar.

And apparently, DHS is still saying that this isn't a cyber attack. An article in the Daily Mail (not the best source granted, but the article speaks for itself) says:

The Department of Homeland Security confirmed that a water plant in Springfield, Illinois, had been damaged.

However spokesman Peter Boogaard said officials had yet to confirm that the pump failure was the result of a cyber-attack.

He said: 'DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield, Illinois.

'At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.'

Well of course he would say that. We would never admit that our systems are vulnerable to outside attack. On theb other hand acknowledging the fact that our systems are vulnerable might provide additional incentive for the hackers to keep trying. The locals have a different story:

A report from the Illinois terrorism and intelligence center said there had been problems with the system in Springfield for two to three months.

Who do you think is more likely to be correct on this score, the feds, who are on DC, or the locals, who are in the same state?

The method used, hacking a security company to gain entry to another company, was employed earlier this year by cyber attackers in China.

They stole data from RSA, a division of EMC that provides secure remote computer access to government agencies. They then went on to get into the computer systems of companies, including Lockheed Martin.

Security experts say the attacks show just how vulnerable companies and utilities are.

Gen. Keith Alexander, head of U.S. Cyber Command and director of the National Security Agency, said: 'RSA is the gold standard. If they got hacked, where does that leave the rest?'

Mr Alexander is among senior U.S. officials who have warned of the danger of cyber attacks on critical infrastructure.

At least some of the top brass (literally) is concerned and willing to admit that there are issues that need to be addressed.

An article @ Security News Daily (which I cannot copy/paste from for some reason on my Android Tablet) indicates the difficulties in upgrading these (SCADA) systems. The article says that many need to be taken offline in order to perform an upgrade which is both costly and hard to manage. It also indicates that these upgrades are "not a top priority" for the facilities which utilize this type of control.

Now I am not a cyber security expert, however, it seems to me that the ability for outisders to gain access to a critical control system would be a top priority to address, but what do I know?