posted on 11/22/2011 4:22:02 PM
Following security breaches at two water utilities in the U.S., industry experts are urging government, manufacturers, and automation vendors to band together to solve the SCADA security vulnerabilities that could threaten public safety.
[After this story was published, the Washington Post reported that initial suspicions of a cyberattack on the Illinois plant were unfounded, and indicated that human error was to blame]
The flurry of reports surrounding SCADA security breaches at two U.S. water utility facilities this month has put industrial control systems and automation platforms back under the microscope, and has industry experts concerned about the ability of these systems to fend off future cyber-attacks.
Last week, cyber-security expert Joe Weiss reported news of a SCADA system hack at a water utility in Springfield, IL, that burned out a water pump. According to Weiss—as well as subsequent reports from Wired and Network World, and a blog by Eric Byres, CTO of Byres Security—the intrusion, first noticed on Nov. 8, appears to have originated from an IP address in Russia. According to Byres’ blog, it is believed that the hacker or hackers first penetrated the network of the unidentified SCADA system vendor or a company that manages the utility’s SCADA network, stealing usernames and passwords of customers to gain remote access to the utility’s network.
While the Department of Homeland Security has said it is investigating the Illinois incident, officials indicated that aside from the pump failure, there is no data that points to a public safety threat.
Meanwhile, a “friendly-fire” incident at a water utility in Houston, Texas came to light soon after, pulled off by a hacker using the screen name “pr0f” or “@pr0f_srs,” Byres reported. Apparently frustrated by the way Homeland Security downplays the vulnerability of critical infrastructure, pr0f launched a proof-of-concept attack on the Houston facility, posting several screenshots of the plant’s control architecture to demonstrate what pr0f said was the system’s vulnerability.
According to a post by pr0f on Pastebin website the hack was not meant to be malicious, but to attract attention to cyber-insecurity:
I don't think I am alone in suggesting that the gravity of the problem is more serious than ICS-Cert and similar are equipped to deal with. I would love to see some real reform and discussions between the government, manufacturers of ICS, and people who use these systems happening, because there seems to be a huge disconnect between the parties involved.
I don't have much of a doubt the FBI will be investigating recent events, and I suspect my future may well contain orange uniforms and bad food, but I feel that there's a serious need to highlight these issues publicly worth all costs. Discussion is needed, but more than that, we need action.
A call to action is what has resulted, as security experts are banging their drums a little louder in hopes of getting the industry and government to wake up and work together to secure SCADA systems. Many experts say locking down the barrier between the corporate network and industry control systems could stop a malicious infiltration.
In addition, Weiss outlined other suggested actions, including providing better coordination and disclosure by the government; better information-sharing in the industry; better control system cyber-security training policies; and the implementation of control system forensics.
“The sad fact is that many companies and many industries are still not taking security seriously,” said Byres in his blog. “Even these two incidents probably won’t be enough of a wakeup call for most companies. I just pray that it won’t take a disaster to get the SCADA users, vendors, and government moving toward making our critical infrastructures more robust and secure.”