"No need to investigate why people are able to log into your SCADA system from all over the world," blogged computer security expert Dave Aitel. He's referring to a rather poor agency response to a couple of presumed SCADA hacks that occurred in the U.S.
The IP address that was used to access an Illinois water district's SCADA system was in Russia, which alerted the Dept. of Homeland Security (DHS) and the FBI to possible wrongdoing. It later turned out that the access was — at the request of the utility itself — initiated by its system integrator, who was on vacation in Russia.
This hack was blogged about by Joe Weiss, the managing partner for Applied Control Solutions. He reported that the attackers burned out one of the utility's pumps by causing the pump — or the SCADA system that controlled it — to turn on and off repeatedly. It turns out it simply had failed all on its own.
In Weiss's defense, he was working with badly inaccurate information primarily from DHS. Monique Bond, spokesperson for the Illinois terrorism and security center that coordinates actions of the DHS, CIA and State Police, stated, "The center's focus was on how Weiss received a copy of a report that he should never have received." It seems like the focus should be on why the report was so wrong.
Weiss blogged that he was shocked that the report had not been corroborated by the involved agencies before release.
The second event was at a Texas facility. This was a proof-of-concept hack. A user known only as "pr0f" logged into a South Houston pumping station, took screenshots, and left.
The Aitel blog trail was very enlightening. There are hackers who hack for the sake of hacking, and to try to expose vulnerabilities so that the hackees can do something about it. The Digital Bond website suggests that they hope FBI will provide some details on the issue.
Marty Edwards at DHS commented that this hack was an ongoing criminal investigation. This is funny, since pr0f posted information that it really wasn't a hack, and anyone familiar with Simatic would not have any issues. I can only conclude that the user name and password on the SCADA system weren't changed from the default. There are other questions as well, but it's pretty clear that he got in without much trouble.
I downloaded the screenshots that pr0f allegedly scooped. I have worked in water/wastewater, and the screens sure look authentic.
So, what are we to make of all this?
I cringe when I read advertisements in trade magazines that you can access your process PLCs over the Internet. Just because you can doesn't mean you should. We have had multiple arguments on control networks vs. IT networks, and different points of access.
I am working on a proposal for a municipality to upgrade its SCADA systems. New servers, remote access, PLC redundancy — all the good stuff.
It is up to me to provide guidance and implementation of the complete system. Though a city of less than 100,000 might not be the target of a cyber-criminal, the message is very clear.
I know enough about security and implementation to know that I can't do that part of this project. I will enlist the assistance of a very knowledgeable IT guy who will guide me. My system will not end up on a website for hacked screenshots.
Right now, however, the system is wide open. I wonder how many systems that are infrastructure-centric are in the same boat?
If a South Houston utility can be hacked at will, then how about Boise or Sacramento? Houston has some of the brightest minds dealing with the oil and gas industries, but I guess security isn't one of their areas of expertise.
Did Weiss push the panic button? Did DHS do the same by releasing a bad report? Is this just another indication that we are so afraid the Big Bad Wolf is at the door that we will jump to conclusions that support our dire predictions instead of first making sure that our systems are protected at some level?