Feeds

Second water utility reportedly hit by hack attack

Proof-of-concept intrusion

The essential guide to IT transformation

Images posted online suggest that hackers may have gained unauthorized access to computers controlling a second water treatment facility, a claim that raises additional concerns about of the security of the US's critical infrastructure.

Five computer screenshots posted early Friday purport to show the user interface used to monitor and control equipment at the Water and Sewer Department for the City of South Houston, Texas. They were posted by someone calling himself pr0f to counter comments included in a Register article posted on Thursday in which a US Department of Homeland Security spokesman responded to reports of an attack on a separate water plant by saying there was no “credible corroborated data” indicating critical infrastructure was at risk.

“I dislike, immensely, how the DHS tend to downplay how absolutely FUCKED the state of national infrastructure is,” the post stated. “I've also seen various people doubt the possibility an attack like this could be done.”

pr0f went on to post what he claims is proof that internet-connected computers controlling other industrial equipment are easily accessible to unauthorized parties. The five pictures show what appears to be the HMI, or human machine interface, controlling highly sensitive equipment used by South Houston's Water and Sewer personnel. One interface depicts an apparatus for monitoring and controlling the city's waste-water treatment plant, including a power generator and what appear to be "blowers", which control air flow.

  Water treatment SCADA screenshot   

One of five images posted by 'pr0f' (click to enlarge)

The Register was unable to confirm claims that the images were obtained through the unauthorized access of the system. City officials have yet to confirm or deny pr0f's claims, and representatives with DHS didn't respond to an email seeking comment. The possibility that screen captures of the city's industrial control systems were made by authorized employees for training or other purposes and later obtained by pr0f can't be ruled out.

The posting comes a day after industrial control systems security expert Joe Weiss disclosed contents of a November 10 report from the Illinois Statewide Terrorism and Intelligence Center. It claimed that attackers destroyed a pump belonging to a regional water utility in that state by hackers who gained access to supervisory control and data acquisition systems that manage the utility's machinery. That report remains unconfirmed, although the DHS spokesman said officials from his agency and the FBI are investigating.

While the events over the past two days have yet to be verified, there's no denying that huge amounts of machinery used in gas refineries, power plants, and other industrial facilities are controlled by computers that are connected to the internet. This raises the specter of core parts of the nation's infrastructure being taken over and sabotaged if hackers figure out ways to bypass their security controls. Officials are frequently aware of the risks, but financial constraints and personnel matters often trump those concerns.

“For folks with less resources available and tighter budgets, (there's) web-based remote access,” said Michael Assante, a SCADA security expert and president of the National Board of Information Security Examiners, a nonprofit focused on security workforce training. Having controls available over the internet means many cash-strapped agencies don't have to have dedicated SCADA engineers on premises around the clock, he explained. “They're trying to use the technology to maximize the resources they have available to them.” ®

This article was updated to clarify blowers.

Follow @dangoodin001 on Twitter.

Next gen security for virtualised datacentres

More from The Register

next story
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.