Feeds

Second water utility reportedly hit by hack attack

Proof-of-concept intrusion

The Essential Guide to IT Transformation

Images posted online suggest that hackers may have gained unauthorized access to computers controlling a second water treatment facility, a claim that raises additional concerns about of the security of the US's critical infrastructure.

Five computer screenshots posted early Friday purport to show the user interface used to monitor and control equipment at the Water and Sewer Department for the City of South Houston, Texas. They were posted by someone calling himself pr0f to counter comments included in a Register article posted on Thursday in which a US Department of Homeland Security spokesman responded to reports of an attack on a separate water plant by saying there was no “credible corroborated data” indicating critical infrastructure was at risk.

“I dislike, immensely, how the DHS tend to downplay how absolutely FUCKED the state of national infrastructure is,” the post stated. “I've also seen various people doubt the possibility an attack like this could be done.”

pr0f went on to post what he claims is proof that internet-connected computers controlling other industrial equipment are easily accessible to unauthorized parties. The five pictures show what appears to be the HMI, or human machine interface, controlling highly sensitive equipment used by South Houston's Water and Sewer personnel. One interface depicts an apparatus for monitoring and controlling the city's waste-water treatment plant, including a power generator and what appear to be "blowers", which control air flow.

  Water treatment SCADA screenshot   

One of five images posted by 'pr0f' (click to enlarge)

The Register was unable to confirm claims that the images were obtained through the unauthorized access of the system. City officials have yet to confirm or deny pr0f's claims, and representatives with DHS didn't respond to an email seeking comment. The possibility that screen captures of the city's industrial control systems were made by authorized employees for training or other purposes and later obtained by pr0f can't be ruled out.

The posting comes a day after industrial control systems security expert Joe Weiss disclosed contents of a November 10 report from the Illinois Statewide Terrorism and Intelligence Center. It claimed that attackers destroyed a pump belonging to a regional water utility in that state by hackers who gained access to supervisory control and data acquisition systems that manage the utility's machinery. That report remains unconfirmed, although the DHS spokesman said officials from his agency and the FBI are investigating.

While the events over the past two days have yet to be verified, there's no denying that huge amounts of machinery used in gas refineries, power plants, and other industrial facilities are controlled by computers that are connected to the internet. This raises the specter of core parts of the nation's infrastructure being taken over and sabotaged if hackers figure out ways to bypass their security controls. Officials are frequently aware of the risks, but financial constraints and personnel matters often trump those concerns.

“For folks with less resources available and tighter budgets, (there's) web-based remote access,” said Michael Assante, a SCADA security expert and president of the National Board of Information Security Examiners, a nonprofit focused on security workforce training. Having controls available over the internet means many cash-strapped agencies don't have to have dedicated SCADA engineers on premises around the clock, he explained. “They're trying to use the technology to maximize the resources they have available to them.” ®

This article was updated to clarify blowers.

Follow @dangoodin001 on Twitter.

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.