Water Pump Hack Paints Picture of Leaky Utility Security
Nov 21, 2011 12:15 PM PT
A small water utility in Illinois has been hacked, reportedly leading the FBI and the United States Department of Homeland Security (DHS) to look into the matter.
The attack came from Russia, according to control systems cybersecurity expert Joseph Weiss, whose blog first publicized the matter. He suggested the hack might have been linked to a break-in at a SCADA system vendor earlier.
SCADA systems, or supervisory control and data acquisition systems, are used to control infrastructure processes such as in electric and water utilities.
That hack in Illinois is just a harbinger of things to come, Weiss warned.
"The electric utilities industry has turned security into a compliance exercise, and they've created their checklist in such a way as to minimize the number of assets they need to look at," Weiss told TechNewsWorld.
"Roughly 70 to 80 percent of the power utilities in the United States are not considered critical, and 100 percent of distribution isn't," Weiss added.
EPRI, the Electric Power Research Institute, the members of which provide more than 90 percent of the electricity generated and delivered in the United States, did not respond to requests for comment by press time.
What Happened In Illinois
Essentially, the hacker who broke into the system of the water utility serving Springfield, Ill., kept powering its SCADA system on and off, burning out a water pump, Weiss stated.
A water district employee spotted the problem earlier this month, but forensic evidence indicates the system may have been hacked back in September, according to the Illinois Statewide Terrorism and Intelligence Center, which reported the hack.
That information was not published by the DHS or any other security organization, Weiss said, and other water utilities he spoke with weren't aware of the break-in at the time.
The DHS states it has launched an investigation, but "I'm ... concerned about what DHS and DoE (the Department of Energy) are doing or not doing," Weiss stated.
Where Our Electric Utilities Stand
Electric utilities in the United States are woefully unprepared to handle any attacks on their infrastructure, Weiss told PBS back in 2003. Weiss had been a technical manager for 15 years at EPRI.
That's partly because of the way control systems -- which include SCADA systems -- were designed, and partly because of the electric utility industry's needs, he said.
Utilities need systems to be able to talk to each other over various media, but their communications lines are not secured, Weiss explained.
While utilities' control centers are highly secured, power plants and substations aren't, he pointed out.
"Many systems controlling critical infrastructure are legacy in terms of hardware, software, protocols and, of course, security," Mike Geide, senior security researcher at Zscaler ThreatLabZ, told TechNewsWorld.
Protecting these systems is "a difficult and potentially expensive task," Geide added.
"I worry that operational security isn't of paramount concern at any location of similar importance to the Illinois [utility] and, allegedly, Texas SCADA installations, where intrusions supposedly took place," Andrew Brandt, director of threat research at Solera Networks Research Labs, told TechNewsWorld.
The electric utilities industry's security checklists are created in such a way as to minimize the number of assets that need to be looked at, Weiss alleged.
"One of the things they did is create a bright line," Weiss added. "If you're on one side of it, you're considered a critical asset; if you're on the other side, you're not and don't have to be looked at."
The bulk of equipment in electric utilities, and the entire electric grid, which is listed as distribution, aren't counted as critical assets, Weiss stated.
"This is why this [intrusion into the Illinois water utility] is such a big deal," Weiss said.
Already, a hacker going by the handle "pr0f" has claimed to have hacked into the SCADA system of the utility serving the city of South Houston and posted the results.
The intrusion was quite easy, pr0f asserted.