SCADA-based water system hacked

Reports emerged on the end of last week that a SCADA-based water system within the US have been hacked.

The system manufacturer, Applied Control Solutions, didn't identify the water utility attacked or the SCADA software vendor compromised, but managing partner Joe Weiss did confirm that "there has been damage â€" the SCADA system was powered off and on, burning out a water pump", in keeping with a blog post.

He also revealed that attackers breached the network and stole customer usernames and passwords. Talking to CNet, Weiss declined to mention where the utility was based, yet a Department of Homeland Security representative within the US later indicated that the power was located in Springfield, Illinois.

Weiss couldn't say how the SCADA vendor was breached, but speculated that programmable logic controllers (PLCs) were excited about the attacks as water utilities "are very depending on PLCs".

He also said the report indicated that the IP address utilized in the attack was traced to Russia. However, that didn't mean that the attack was launched from there.

Chester Wisniewski, senior security advisor at Sophos Canada, said: “The attackers were repeatedly turning a pump off and on until it caused the pump to fail, raising an alert to the operators. Upon investigation they determined that attackers can have infiltrated the system starting in September, although the attack wasn't discovered until 8November.

“It would seem it's common practice nowadays to attach these sensitive critical infrastructure systems to the general public internet and use common off-the-shelf software to cope them.

“Convenience and cost are always desirable to these liable for managing these systems, but here is bordering at the criminally negligent while you're accountable for our water, power, gas and other sensitive utilities. The dept of Homeland Security should do a top-down audit of those systems and mandate that these insecure practices come to an end.”

David Marcus, director of security research at McAfee Labs, said: “Questions I often hear concerning incidents like this range from ‘how easy is it to attack SCADA networks?' to ‘are we going to look more of those varieties of attacks?'.

“The answers are very simple. It truly is not more difficult to attack a SCADA network or system than it can be to attack another system. It just takes time, specific sorts of data and dedicated resources for developing the attack â€" same as every other attack vector or target. The second one question is trickier.

"Certainly we might even see more SCADA-based or SCADA-focused attacks at some point. Attackers are inclined to target systems which might be successfully compromised, and up to date history has shown that these systems are at the least as vulnerable as other varieties of networked systems. But that is not really the purpose. In my mind, the second one question often morphs into ‘how will we know they don't seem to be already compromised and actively under attack now?'.

“My gut tells me that there's greater targeting and wider compromise than we all know about. Why? Again, my instincts tell me that there's a loss of cyber forensics and response procedures at all these facilities. Should you don't have cyber forensic capabilities, it's hard to grasp when you've got a cyber intrusion. Does this mean that i feel it's cyber-Armageddon time? No, however is unquestionably prudent to guage our systems and ask some questions.”

Marcus recommended SCADA network administrators include ‘cyber' in all risk management; deploy extensive penetration testing and extensive counter-social engineering training; put a SCADA-specific CERT plan and team in place; network with law enforcement agencies in any respect levels; and expect to get attacked and take appropriate countermeasures.