Second water utility reportedly hit by hack attack
Images posted online suggest that hackers may have gained unauthorized access to computers controlling a second water treatment facility, a claim that raises additional concerns about of the security of the US's critical infrastructure.
Five computer screenshots posted early Friday purport to show the user interface used to monitor and control equipment at the Water and Sewer Department for the City of South Houston, Texas. They were posted by someone calling himself pr0f to counter comments included in a Register article posted on Thursday in which a US Department of Homeland Security spokesman responded to reports of an attack on a separate water plant by saying there was no “credible corroborated data” indicating critical infrastructure was at risk.
“I dislike, immensely, how the DHS tend to downplay how absolutely FUCKED the state of national infrastructure is,” the post stated. “I've also seen various people doubt the possibility an attack like this could be done.”
pr0f went on to post what he claims is proof that internet-connected computers controlling other industrial equipment are easily accessible to unauthorized parties. The five pictures show what appears to be the HMI, or human machine interface, controlling highly sensitive equipment used by South Houston's Water and Sewer personnel. One interface depicts an apparatus for monitoring and controlling the city's waste-water treatment plant, including a power generator and what appear to be "blowers", which control air flow.
The Register was unable to confirm claims that the images were obtained through the unauthorized access of the system. City officials have yet to confirm or deny pr0f's claims, and representatives with DHS didn't respond to an email seeking comment. The possibility that screen captures of the city's industrial control systems were made by authorized employees for training or other purposes and later obtained by pr0f can't be ruled out.
The posting comes a day after industrial control systems security expert Joe Weiss disclosed contents of a November 10 report from the Illinois Statewide Terrorism and Intelligence Center. It claimed that attackers destroyed a pump belonging to a regional water utility in that state by hackers who gained access to supervisory control and data acquisition systems that manage the utility's machinery. That report remains unconfirmed, although the DHS spokesman said officials from his agency and the FBI are investigating.
While the events over the past two days have yet to be verified, there's no denying that huge amounts of machinery used in gas refineries, power plants, and other industrial facilities are controlled by computers that are connected to the internet. This raises the specter of core parts of the nation's infrastructure being taken over and sabotaged if hackers figure out ways to bypass their security controls. Officials are frequently aware of the risks, but financial constraints and personnel matters often trump those concerns.
“For folks with less resources available and tighter budgets, (there's) web-based remote access,” said Michael Assante, a SCADA security expert and president of the National Board of Information Security Examiners, a nonprofit focused on security workforce training. Having controls available over the internet means many cash-strapped agencies don't have to have dedicated SCADA engineers on premises around the clock, he explained. “They're trying to use the technology to maximize the resources they have available to them.” ®
This article was updated to clarify blowers.
Follow @dangoodin001 on Twitter.
For the record, blowers compress air to pressures intermediate between fans and compressors. They're used at wastewater treatment works to aerate activated sludge plants and aerobic digesters (the former are not shown on the hmi - presumably on another page to the 'left'?). The aerobic bacteria that eat the waste would otherwise use up the available dissolved oxygen very quickly and die. The process would then 'go septic' and be populated by anaerobic bacteria producing methane and hydrogen sulfide and various other gases that are foul-smelling, corrosive and/or explosive.
ie it's unlikely the blowers are there to 'disperse accumulated gas'.
I suspect the plant in question would be this one - http://g.co/maps/ybhvb
I'm actually pretty terrified about attacks on water infrastructure SCADA. Petrochem and Chemical plants are much more susceptible to going bang but equally have vastly more money thrown at them. For the most part water infrastructure is, once built, minimally funded until something finally breaks.
Its the usual thing
An Engineer said hey look we can connect these sites together to provide better customer service, Engineers can fix faults quickly, when we are short of engineers 1 guy can manage the network temporarily and I don't have to drive to the back of beyond that would save labour and fuel costs.
Look here is a working test. But we must spend some money to make sure it works properly and its secure just think what could happen?
PHB boss hears CONNECT SITES TOGETHER, FIX FAULTS, 1 GUY CAN MANAGE THE NETWORK(I can sack the rest including the one who thought of it - he knows the truth), SAVE LABOUR AND FUEL COSTS, WORKING,JUST THINK WHAT COULD HAPPEN TO my bonus.
and so a new system is born.
Until governments see infrastructure as key to the health of the realm and spend money regulating them (including threatening to send negligent bosses to jail like SOX) this will happen again and again.
Some things are just a bad idea and just because you can do them doesn't mean you should.