Feeds

Water utility hackers destroy pump, expert says

SCADA breach 'a really big deal'

The Essential Guide to IT Transformation

Updated Hackers destroyed a pump used by a US water utility after gaining unauthorized access to the industrial control system it used to operate its machinery, a computer security expert said.

Joe Weiss, a managing partner for Applied Control Solutions, said the breach was most likely performed after the attackers hacked into the maker of the supervisory control and data acquisition software used by the utility and stole user names and passwords belonging to the manufacturer's customers. The unknown attackers used IP addresses that originated in Russia.

Weiss cited an official government report from the state where the regional water district was located. It was dated November 10, two days after the hack was discovered. The document indicates that the utility had been experiencing unexplained problems with its computerized system in the weeks leading up to the breach.

“Over a period of two to three months, minor glitches had been observed in remote access to the water district's SCADA system,” Weiss said during an interview, in which he read a verbatim portion of the document to The Register. He said that the attackers were able to burn out one of the utility's pumps by causing either the pump or the SCADA system that controlled it to turn on and off “repeatedly.”

Weiss said he obtained the report on the condition that the water utility and the state where it's located aren't disclosed. A statement issued by the US Department of Homeland Security indicated the utility was located in Springfield, Illinois. Weiss published bare-bones details of the hack on Thursday because he wanted to bring attention to an incident he said raised serious concerns about the ability of the US government to secure critical infrastructure.

“This is really a big deal, and what's just as big a deal is what isn't being said or isn't being done,” Weiss said. “What the hell is going on with DHS? Why aren't people being notified?”

He said he's unaware of any water utilities or other SCADA operators who know about the attack.

In an email sent several hours after this article was first published, DHS spokesman Peter Boogaard wrote: "DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield Illinois. At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety."

The Register was unable to verify the claims in the report. A security researcher with no affiliation to Weiss said there was no obvious reason to doubt the attack took place as described.

“It's not surprising,” said Rick Moy, President and CEO of NSS Labs. “These things are connected to the internet in ways they shouldn't be. It's very plausible.”

Over the past few years, the vulnerability of the control systems used to operate power plants, gas refineries, and other industrial systems has been underscored by a variety of events. Chief among them was the Stuxnet computer worm that infiltrated SCADA systems in Iran and disrupted that country's nuclear program. Earlier this year, security researcher Dillon Beresford disclosed bugs in widely used control systems that he said were “far reaching and affect every industrialized nation across the globe.”

More recently, researchers discovered highly sophisticated malware dubbed Duqu had infiltrated at least eight industrial facilities throughout the world by exploiting a previously unknown vulnerability in Microsoft Windows. Some researchers say it was created by people with close ties to Stuxnet.

Weiss said the possibility that attackers of the water utility obtained passwords for multiple customers of the SCADA manufacturer left open the possibility that other industrial facilities are also susceptible or may already have been breached. Many industrial control systems rely on passwords that are hard-coded, making it difficult to change stolen passcodes without causing serious problems.

Weiss said the objectives and identities of the attackers remain a mystery. Possibilities could include a nation state doing reconnaissance, recreational hackers looking for laughs, or a criminal gang setting up an elaborate extortion scheme.

“Until you find who did it, there's no way to know what the motive is,” he said. ®

This article was updated to add comment from DHS.

Follow @dangoodin001 on Twitter.

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.