The hacker known as 'pr0f' counted coup with a post on Pastebin posting screenshots of the hack along with specific attacks on comments of the DHS on the Illinois attack:
"At this time there is no credible, corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety," Boogaard told SCMagazine.
"This was stupid," pr0f posted. " Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely F***** the state of national infrastructure is. I've also seen various people doubt the possibility an attack like this could be done."
Seriously. It's time to lock SCADA up a bit.
While no one doubted the warnings about SCADA vulnerabilities were true or that foreign governments might be behind any attacks, none of the security analysts or researchers I talked to thought it would happen any time soon.
Actually, they all expected it would happen any minute because the profile of the targets were so high and the safeguards so relatively low. They just figured the first real penetration and takeover would be from someone with a proof-of-concept to test or a point to make – someone like pr0f, or a researcher at Kaspersky or Symantec or another security firm.
The reputed U.S. role in sending the Stuxnet virus to attack Iran's nuclear development program raised awareness of SCADA systems and their vulnerabilities, while almost inviting a tit-for-tat counterattack.
Stuxnet also introduced nto general use the idea that malware could be tailored to carefully and deliberately screw up a particular industrial control system within a specific set of facilities.
The exploits used to penetrate both facilities don't demonstrate much about how to attack a SCADA system, except that it's pathetically easy to do so, at least within the U.S.
The concept they do prove is that more needs to be done – by the utilities, the SCADA vendors and U.S. security agencies – to reduce the number of vulnerabilities through which it appears even small children could attack and cripple portions of the U.S.