|
Videos
November 21, 2011 By Dan Lohrmann
The top technology story at the end of last week involved multiple news sources reporting a cyber attack that penetrated a US public water system in Illinois. Here’s what we know, and what we don’t.
Question 1) What happened to prompt the concern?
Answer: An Illinois water system pump was (reportedly) turned on and off repeatedly until it failed.
According to the Breitbart article: Foreign cyber attack hits US Infrastructure: expert
“The Illinois Statewide Terrorism and Intelligence Center disclosed the cyber assault on a public water facility outside the city of Springfield last week but attackers gained access to the system months earlier according to Joseph Weiss (managing partner from Applied Control Solutions).
The network breach was exposed after cyber intruders burned out a pump.
‘No one realized the hackers were in there until they started turning on and off the pump,’ according to Weiss.”
Question 2) Are we sure that the pump failed as a result of a cyber attack?
Answer: No, but it looks likely. The Daily Mail (UK) reported: “The Department of Homeland Security confirmed that a water plant in Springfield, Illinois, had been damaged.
However spokesman Peter Boogaard said officials had yet to confirm that the pump failure was the result of a cyber-attack.”
Question 3) How did the hackers gain enough access to bring down the water pump?
Answer: According to a report from the Illinois Terrorism and Intelligence Fusion Center, cyber attackers broke into a software company’s database and got hold of user names and passwords of various control systems that run water plant computer equipment.
“The attackers are thought to have obtained the usernames and passwords to the system by first breaking into a computer belonging to the utility's SCADA software vendor. SCADA vendors often maintain a list of usernames and passwords for accessing systems at customer locations for support purposes. Anyone with those credentials can gain access to the customer system, which is what appears to have happened here.”
Question 4) Was anyone harmed or did customers lose water service?
Answer: No. Other pumps and/or systems maintained service during the pump failures.
Question 5) Why is this such a big deal? Why is this a top story around the world if no one was hurt?
Answer: The potential ramifications of having a confirmed (successful) cyber attack against (any) critical infrastructure are enormous. Besides the implications for our water, there are fears of attack against transportation, electricity or other important infrastructure sectors. Yes, each sector has plans for defense.
There are vulnerable critical infrastructure components, and there are many programs that attempt to protect these systems from a cyber or other attack. NERC and other organizations have spent millions of dollars to start building the smart grid, which may also be susceptible to a cyber attack.
If this failure is confirmed as a cyber attack, the sense of urgency will only increase. Many experts believe that a 21st Century “cyber war” is coming and will be like the previous “cold war” of the 20th Century.
Movies like Live Free or Die Hard (“Die Hard 4”) demonstrate a worst-case cyber attack scenario against critical infrastructure – but remember this is fiction which is overdone to entertain.
Question 6) Are there any other water systems or other utilities that were compromised by the same cyber incident?
Answer: This is still being investigated right now. Several sources believe that other systems may have been compromised. Either way, the implications to the wider Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) community are huge.
If you need help, each sector has plans and programs, but you can start with this Critical Infrastructure Protection (CIP) website at DHS.
Question 7) Was this a cyber “test” by the bad guys? Is this the beginning of a dangerous hacker trend?
Answer: You decide. Time will give us the answer, but we’d better plan for the worst while we hope for the best. Nevertheless, this should be a cyber wake-up call for America.
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.
RSS
CONTACT
It is a sad state of affairs when security documentation from England, France and Hollywood movies are the primary sources of information regarding the compromise of an American IT system.
This is what happens when someone tries to use the internet for convenience without paying proper attention to security. If this had been a question of physical access to a secure building, nobody would have permitted access to that many employees without tracking the use of their access. Failure to maintain the same standards for data as for physical security is simply irresponsible.
Sam - Fair comment. In my experience, foreign news sources sometimes provide unique (and often better) coverage of US events - including technology and security stories. Referencing those sources also demonstrates global interest on these topics. While the mention of "Die Hard 4" may seem "over the top" in this case, I have found that many people struggle to understand the potential long-term impact of a security breach to critical infrastructure. Movies and books often "paint the picture" better for readers than news stories - even if they exaggerate. Thanks for your comments. I appreciate the dialogue. Dan
Hacking Illinois Water: Seven Questions and Six Answers
The only way to keep the coffee house hackers from getting into the smart grid system is to sandbox it. Have it in no way connected to the internet. Yes, it would cost more to run their own fiber, but you could use all the current hardware/software that is available. This way to hack the system you would have to be here physicaly, not in a basement in Russia or China. As long as it is connected to the internet, someone will get in.
I agree with ccrydr. Keep it on a private network with physically secured routers and switches and NEVER let it be linked to the internet without a super-locked-down firewall. It might be less expensive to use the public networks but beef up the firewalls, routers, switches, etc. and use VPNs with additional security built in requiring hardwired, coded "dongles" to be attached to the accessing workstation. Without a cloned security "dongle", the hackers couldn't get in even with user IDs and passwords. If I'm not mistaken, some sort of physical encryption key is used in secure communications in the military and intelligence communities already. That should be adaptable to utility/manufacturing networks for added security against hacking attempts.
There is later information on this article. It appears that the Illinois water system was NOT hacked. See my next blog or visit: http://www.govtech.com/blogs/lohrmann-on-cybersecurity/Illinois-Water-System-Was-112311.html
We've been following the entire incident for the past 2 weeks. Some recent commentary by one of our moderators, Jake Brodsky, can be found here: http://news.infracritical.com/pipermail/scadasec/2011-November/020703.html The whole thread may be found at the archives to the SCADASEC mailing list: http://news.infracritical.com/pipermail/scadasec/2011-November/thread.html Quite honestly, it is not known if this incident truly occurred...or not. The fact is, both DHS and FBI have officially indicated that the "cyber attack" (er...hack) did *not* exist. Again, review the article that Jake wrote; it demonstrates the "damned if you, and damned if you don't" circumstance that both DHS and FBI are currently facing. Cheers. Bob Radvanovsky, Owner/Moderator of SCADASEC rsradvan@infracritical.com
Also...I would like to invite the readers of this post to become members, and participate in our mailing list. It's publicly-available, it's free, and it's the *only* one of the planet dedicated to SCADA and control systems security. The mailing list is called "SCADASEC", and can be accessed here: http://www.scadasec.com