Was the destruction of water system equipment by hackers a wake up call or a fluke event?

delia25

There was news over the weekend about a municipal water company in Illinois having hackers access their systems remotely and destroying some of the equipment.  See: http://www.bbc.co.uk/news/technology-15817335

I never thought of this type of damage to physical infrastructure as a potential issue, but I was obviously living in oblivion. What level of problem does this attack reveal? Is it really a serious issue, or was it just a case of a small local entity having sub-par security in place?

Topic: Security
Answer this Question

Answers

2 total
mstrauss
Vote Up (19)

 

I also think it is an important wake-up call.  I can't believe that there was such an obvious vulnerability in such an important public utility.  Apparently this attack was launched by hackers in Russia.  It could be replicated by hackers from Iran, North Korea, or anywhere else.  I think these Russian hackers did us a favor by exposing the vulnerability present in a small water system.  Considering the publicity, other H2O systems would have to be complete and utter idiots not to reexamine their security procedures in light of this.  Especially any that are foolish enough to have internet facing server frontends.  

 

First of all, the freakin' IP address used to hack the system was in Russia.  Haven't people heard of IP address filtering.  It's a good start, and pretty darn standard for companies that utilize remote assistance to require it be performed from a static IP.  Secondly, why the heck wouldn't critical systems, like, ohhhh, fresh water systems, have one-way VPNs in place.  It isn't rocket science.

 

In the BBC article that was linked to the original question, there was an interview from Threat Post with the purported hacker, and he claimed to have access to the control system for a waste water treatment plant in Texas.  The hacker said that it wasn't even really deserving of the term "hack" in light of the three (THREE!) character password chosen to "protect" the system.  If people are really being that sloppy and/or lazy, we really do have a serious issue that must be addressed ASAP!

 

jimlynch
Vote Up (19)

Hi delia25,

I'd consider it a wake up call. It's not really surprising that such a thing has happened. Those sorts of infrastructure devices are perfect for hackers to go after. So I think, unfortunately, we'll see more incidents like that happen in the future.

Here's an article that looks at it and recommends some changes to protect systems:

Water Utility Hacked: Are Our SCADA Systems at Risk?
http://www.pcworld.com/businesscenter/article/244359/water_utility_hacke...

"With the stakes so high, it is important for SCADA networks to ramp up awareness and defensive capabilities. Marcus recommends that SCADA admins do the following:

Include “cyber” in all risk management
Set up extensive penetration testing
Set up extensive counter-social engineering training
Put a SCADA-specific CERT plan and team in place
Network with law enforcement at all levels
Expect to get attacked and take appropriate countermeasures"

Ask a question

Join Now or Sign In to ask a question.
Ping Identity has picked up another $35 million in venture funding to speed development of the next-generation of its identity and access management technology and expand the company's presence in Europe and Asia-Pacific.
Apple's new passcode-based encryption for the iPhone and iPad can be circumvented and provides only limited protection to data.
Google, Dropbox and the Open Technology Fund are supporting a new organization focused on making open-source security and privacy tools more user-friendly.
Among six major U.S. cities, CSOs are paid the most in San Francisco and New York, but factoring in the cost of living makes Denver and Chicago the best bang-for-the-buck places.
Apple's iOS 8 addresses a serious weakness that could allow attackers to hijack the wireless network authentication of Apple devices and gain access to enterprise networks.
Legislation introduced in the U.S. Senate on Thursday aims to place limits on access by U.S. law enforcement agencies to emails and other communications stored abroad.
Two online advertising networks, Google's DoubleClick and Zedo, have been delivering malicious advertisements that could install malware on a person's computer, according to the security vendor Malwarebytes.
Google is turning on data encryption by default in the next version of Android, a step that mirrors broad moves in the technology industry to ensure better data security.
CloudFlare said it has engineered a novel way to handle sensitive encryption keys that allows organizations such as financial institutions to still use its caching service to fend off cyberattacks.
Samsung on Thursday announced price reductions and updates for its Knox security and management software for IT shops and a free My Knox service that is directly available to professionals using ActiveSync.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

randomness