Was the destruction of water system equipment by hackers a wake up call or a fluke event?

delia25

There was news over the weekend about a municipal water company in Illinois having hackers access their systems remotely and destroying some of the equipment.  See: http://www.bbc.co.uk/news/technology-15817335

I never thought of this type of damage to physical infrastructure as a potential issue, but I was obviously living in oblivion. What level of problem does this attack reveal? Is it really a serious issue, or was it just a case of a small local entity having sub-par security in place?

Topic: Security
Answer this Question

Answers

2 total
jimlynch
Vote Up (19)

Hi delia25,

I'd consider it a wake up call. It's not really surprising that such a thing has happened. Those sorts of infrastructure devices are perfect for hackers to go after. So I think, unfortunately, we'll see more incidents like that happen in the future.

Here's an article that looks at it and recommends some changes to protect systems:

Water Utility Hacked: Are Our SCADA Systems at Risk?
http://www.pcworld.com/businesscenter/article/244359/water_utility_hacke...

"With the stakes so high, it is important for SCADA networks to ramp up awareness and defensive capabilities. Marcus recommends that SCADA admins do the following:

Include “cyber” in all risk management
Set up extensive penetration testing
Set up extensive counter-social engineering training
Put a SCADA-specific CERT plan and team in place
Network with law enforcement at all levels
Expect to get attacked and take appropriate countermeasures"

mstrauss
Vote Up (17)

 

I also think it is an important wake-up call.  I can't believe that there was such an obvious vulnerability in such an important public utility.  Apparently this attack was launched by hackers in Russia.  It could be replicated by hackers from Iran, North Korea, or anywhere else.  I think these Russian hackers did us a favor by exposing the vulnerability present in a small water system.  Considering the publicity, other H2O systems would have to be complete and utter idiots not to reexamine their security procedures in light of this.  Especially any that are foolish enough to have internet facing server frontends.  

 

First of all, the freakin' IP address used to hack the system was in Russia.  Haven't people heard of IP address filtering.  It's a good start, and pretty darn standard for companies that utilize remote assistance to require it be performed from a static IP.  Secondly, why the heck wouldn't critical systems, like, ohhhh, fresh water systems, have one-way VPNs in place.  It isn't rocket science.

 

In the BBC article that was linked to the original question, there was an interview from Threat Post with the purported hacker, and he claimed to have access to the control system for a waste water treatment plant in Texas.  The hacker said that it wasn't even really deserving of the term "hack" in light of the three (THREE!) character password chosen to "protect" the system.  If people are really being that sloppy and/or lazy, we really do have a serious issue that must be addressed ASAP!

 

Ask a question

Join Now or Sign In to ask a question.
Based on data gathered over the first six months of 2014, security researchers from IBM X-Force predict that the number of publicly reported vulnerabilities will drop to under 8,000 this year, a first since 2011.
Some visitors to several high-profile websites last week were redirected to browser exploits that installed malware on their computers because of malicious advertisements on those sites.
Netflix has released three internal tools it uses to catch hints on the Web that hackers might target its services.
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach
McAfee, part of Intel Security, has made improvements to its Server Security Suites portfolio with the introduction of performance optimisation and additional management efficiency to increase security for servers in physical, virtualised and Cloud environments.
The cybercriminal gang behind the Kelihos botnet is tricking users into installing malware on their computers by appealing to pro-Russian sentiments stoked by recent international sanctions against the country.
Future versions of the Firefox OS mobile platform will allow users to control application-specific permissions, a feature with both privacy and security benefits that's missing on Android.
A line of routers from a China-based manufacturer has a serious flaw that could allow a hacker to monitor someone's Internet traffic, according to research from Trend Micro.
Smartphones sold in California will soon be required to have a kill switch that lets users remotely lock them and wipe them of data in the event they are lost or stolen.
The U.S. National Security Agency built a "Google-like" search engine to give domestic and international government agencies access to details of billions of calls, texts and instant messages sent by millions of people, according to The Intercept.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+