Illinois, Texas hacks show it's easy to take over U.S. water systems

Don't drink the water; you don't know who's pwned it.

Not only is it suddenly fashionable to hack U.S. water utilities, it turned out to be alarmingly easy.

The hacker who took over the South Houston, Texas water facility last week claims to have had to crack only a three-character password to get in.

Hackers who may have penetrated the water utility in Springfield, Ill. as early as September but were detected only Nov. 8 logged in using valid names and passwords stolen from the vendor of the SCADA software itself – credentials that could give them entry to huge numbers of other facilities as well, according to Joe Weiss, the security blogger who revealed the attack.

It's a coincidence that both hacks were made public last week, but it's actually a surprise successful hacks haven't taken place before now.

Both general-purpose and cyber-specific security agencies in the U.S. looked at SCADA and have been warning for, literally, years that weaknesses in digital security with SCADA apps and within the utilities that use them made real-world infrastructure vulnerable to cyberattack.

The Department of Homeland Security confirmed for CNN and other outlets Friday that it is investigating the Illinois attack, but wouldn't confirm how extensive it was or what the potential might be for other attacks.

Easiest way to break in: Steal a key

DHS spokesman Peter Boogaard said only that DHS and the FBI were investigating a possible cyberattack on a facility in Springfield, Ill. and that the failure of a water pump was part of the investigation.

He pump failed because the hackers ruined it according to information from a Nov. 10 report from the llinois Statewide Terrorism and Intelligence Center that has not been released to the public.

The information came from Joe Weiss, a managing partner and blogger SCADA security and information provider Applied Control Solutions. s

Weiss got permission to read parts of the report to news outlets including Wired and TheRegister as long as he didn't name the software vendor involved or the state in which it is headquartered.

According to information Weiss read from the report, attackers from IP addresses in Russia logged in using stolen credentials and may have had the run of the systems for as long as three months before being noticed.

Staffers noticed glitches in remote-access portions of the system for weeks before the instability in the system overall became great enough that they checked for – and found – evidence of intrusion and, eventually, that the hackers may be responsible for burning out the motor on a major pump at the facility.

Takeovers by hackers tend to be temporary, if only because it's simpler for the system's owner to pull the plug. SCADA systems directly control often-sensitive industrial systems, such as the high-speed centrifuges in Iran that were attacked by the Stuxnet virus in 2010.

It's easily possible for attackers to ruin the systems that provide the water or power, as well as taking over and cutting off the juice temporarily – a secondary risk for security analysts worried about penetration, but one with the potential for longer-term damage than simply shutting off the power grid.

In 2007 researchers at the federal Idaho National Laboratories found a vulnerability in the electricity grid that allowed attackers to enter and take over control of part of the system. A video of the damage they did to a diesel generator as an illustration of the risk was leaked to CNN and is still up on YouTube.

Stuxnet didn't ruin the centrifuges in Iran's Bushehr nuclear development facility; it only changed their speeds so they gave inconsistent results and slowed down the Iranian development effort.

Neither Weiss nor the DHS said what the hackers were after in Illinois, if they even know.

Username: I-M Password: D-U-M

The reason behind the less portentous attack is more obvious, though the reason is less disturbing than the method.

A hacker operating from an address in Romania claims a password only three letters long made it easy to penetrate security on the water utility systems in South Houston last week.

The hacker known as 'pr0f' counted coup with a post on Pastebin posting screenshots of the hack along with specific attacks on comments of the DHS on the Illinois attack:

"At this time there is no credible, corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety," Boogaard told SCMagazine.

"This was stupid," pr0f posted. " Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely F***** the state of national infrastructure is. I've also seen various people doubt the possibility an attack like this could be done."

Not anymore.

Seriously. It's time to lock SCADA up a bit.

While no one doubted the warnings about SCADA vulnerabilities were true or that foreign governments might be behind any attacks, none of the security analysts or researchers I talked to thought it would happen any time soon.

Actually, they all expected it would happen any minute because the profile of the targets were so high and the safeguards so relatively low. They just figured the first real penetration and takeover would be from someone with a proof-of-concept to test or a point to make – someone like pr0f, or a researcher at Kaspersky or Symantec or another security firm.

The reputed U.S. role in sending the Stuxnet virus to attack Iran's nuclear development program raised awareness of SCADA systems and their vulnerabilities, while almost inviting a tit-for-tat counterattack.

Stuxnet also introduced nto general use the idea that malware could be tailored to carefully and deliberately screw up a particular industrial control system within a specific set of facilities.

The exploits used to penetrate both facilities don't demonstrate much about how to attack a SCADA system, except that it's pathetically easy to do so, at least within the U.S.

The concept they do prove is that more needs to be done – by the utilities, the SCADA vendors and U.S. security agencies – to reduce the number of vulnerabilities through which it appears even small children could attack and cripple portions of the U.S.

Keeping the usernames and passwords of customers in a database vulnerable to the outside – and not realizing or reporting the loss of that data when it happened – indicates more than just lax security.

For the SCADA vendor it shows unforgiveable negligence toward both security and customers.

The vendor should have known it had been hacked, understood the implications of the kind of data it lost and warned customers its negligence had made vulnerable.

That it apparently did none of these thing is a crime in itself.

It's a crime with plenty of accomplices, however.

Three characters for a password? Really South Houston?

"I wouldn't even call this a hack, either. This required almost no skill and could be reproduced by a two year old with a basic knowledge of Simatic," pr0f posted, downplaying the accomplishment while appropriately humiliating the victim.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon