Attacks/Breaches
11/21/2011
11:23 AM
50%
50%

Hacker Apparently Triggers Illinois Water Pump Burnout

Attack illustrates the extent to which industrial control systems are Internet-connected, yet lack basic password checks or access controls.

Federal authorities are investigating a hack that resulted in the burnout of a water pump at the Curran-Gardner Township Public Water District in Illinois. Located west of Springfield, Ill., the utility serves about 2,200 customers.

A hacker apparently exploited a supervisory control and data acquisition (SCADA) system that managed the water pump and set the pump to continually turn on and off. Only after the pump failed, earlier this month, did plant operators discover that their systems had been exploited, apparently in September. The attack appeared to have been launched from a server based in Russia.

Federal authorities said they're investigating the attack, but offered no specifics about the exploit. "DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield, Illinois," Department of Homeland Security spokesman Peter Boogaard said in a statement. "At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety."

[ Get the scoop on industrial control system threat Duqu. Read 7 Facts On Duqu Malware Attacks. ]

According to news reports, Illinois officials discovered that the attacker had exploited an instance of phpMyAdmin running at the facility. The open source tool, according to its Sourceforge project notes, is "intended to handle the administration of MySQL over the Web."

But why was a water treatment facility using phpMyAdmin, which has over 100 known vulnerabilities? "I run a reasonably low-profile, small website for myself and some friends and at one point had installed phpMyAdmin to assist them with daily SQL management chores," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post. "I removed it four years ago after a never-ending stream of severe vulnerabilities made it too risky for my play site."

"Convenience and price are always desirable to those responsible for managing these systems, but this is bordering on criminally negligent when you are responsible for our water, power, gas, and other sensitive utilities," he said.

According to industrial control system security expert Joe Weiss, managing partner at Applied Control Solutions, the Illinois SCADA hack has also exposed fundamental critical infrastructure information-sharing problems. "The system is broken," said Weiss on his blog. Notably, by Thursday--after news of the attack had spread--"none of the water utilities I have spoken to were aware of it," he said. That's because no information about the incident had been distributed via the industry-focused information sharing and analysis centers (ISACs), or by fusion centers meant to coordinate terrorism prevention and response efforts between federal agencies and local and state governments.

"The disclosure was made by a state organization, but has not been disclosed by the Water ISAC, the DHS Daily unclassified report, the ICS-CERT [the DHS Industrial Control Systems Cyber Emergency Response Team], etc.," said Weiss. He said that the government must do a much better job of coordinating and disclosing information about these types of attacks, and in a timely manner.

For helping to prevent future such attacks, he's also called for better "control system cybersecurity training and policies," and urged control system users to put better processes and technology in place for supporting digital forensics.

The Illinois water hack has already inspired another, more recent exploit, this one against a water treatment facility in South Houston, Texas. The hacker who took credit for the intrusion, who goes by the handle "pr0f," released screenshots of the exploited programmable logic controller (PLC). But he told Threatpost that the Siemens Simatic human machine interface (HMI) software that he exploited was Internet-connected, and protected with only a three-character password.

"This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this," he said. "I'm sorry this ain't a tale of advanced persistent threats and stuff, but frankly most compromises I've seen have been have been a result of gross stupidity, not incredible technical skill on the part of the attacker. Sorry to disappoint."

Read our report on how to guard your systems from a SQL attack. Download the report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CPOULIN 000
50%
50%
CPOULIN 000,
User Rank: Apprentice
11/21/2011 | 7:25:05 PM
re: Hacker Apparently Triggers Illinois Water Pump Burnout
In April of this year, Q1 Labs sponsored an independent Ponemon study that predicted exactly this attack profile: using cyber attack techniques to cripple physical assets, which would traditionally be subject to sabotage. IT Security in these organizations has the challenging task of protecting critical infrastructure against breach, but the resources are being placed elsewhere. In fact, the Ponemon study found a 10X delta in security spend between physical security and IT security, and without change it will continue to be the IT infrastructure that is under attack. If you want to see the full survey results, you can find them at http://q1labs.com/resource-cen.... - Chris Poulin, Q1 Labs
SanDiegoJM
50%
50%
SanDiegoJM,
User Rank: Apprentice
11/21/2011 | 5:41:43 PM
re: Hacker Apparently Triggers Illinois Water Pump Burnout
San Diego Gas & Electric still cannot clearly explain why the power grid failed on September 8th, 2011 and left millions of customers in Southern California without power. SDG&E claims the grid failure and San Onofre Nuclear Power plant shutdown were victims of Gǣone employee changing a capacitor. Even after their own GǣinvestigationGǥ, they are at a loss to explain to the public what really caused the unpredicted power outage.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The Impact of a Security Breach 2017
The Impact of a Security Breach 2017
Despite the escalation of cybersecurity staffing and technology, enterprises continue to suffer data breaches and compromises at an alarming rate. How do these breaches occur? How are enterprises responding, and what is the impact of these compromises on the business? This report offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.