November 21, 2011, 2:07 PM — Not only is it suddenly fashionable to hack U.S. water utilities, it turned out to be alarmingly easy.
The hacker who took over the South Houston, Texas water facility last week claims to have had to crack only a three-character password to get in.
Hackers who may have penetrated the water utility in Springfield, Ill. as early as September but were detected only Nov. 8 logged in using valid names and passwords stolen from the vendor of the SCADA software itself – credentials that could give them entry to huge numbers of other facilities as well, according to Joe Weiss, the security blogger who revealed the attack.
It's a coincidence that both hacks were made public last week, but it's actually a surprise successful hacks haven't taken place before now.
Both general-purpose and cyber-specific security agencies in the U.S. looked at SCADA and have been warning for, literally, years that weaknesses in digital security with SCADA apps and within the utilities that use them made real-world infrastructure vulnerable to cyberattack.
The Department of Homeland Security confirmed for CNN and other outlets Friday that it is investigating the Illinois attack, but wouldn't confirm how extensive it was or what the potential might be for other attacks.
Easiest way to break in: Steal a key
DHS spokesman Peter Boogaard said only that DHS and the FBI were investigating a possible cyberattack on a facility in Springfield, Ill. and that the failure of a water pump was part of the investigation.
He pump failed because the hackers ruined it according to information from a Nov. 10 report from the llinois Statewide Terrorism and Intelligence Center that has not been released to the public.