SCADA Attack on City Water Station: What Really Happened?
by Martha AvilesBy Martha Aviles
The Illinois Statewide Terrorism and Intelligence Center (STIC) recently published an official report stating that a hacker had attacked the IT infrastructure of a city water utility in Springfield, Ill. The report also concluded that this cyber attack had left a water pump inoperable. This news, of course, was covered by several media outlets including Wired and threatpost, and became a large news story since it is not only the first reported foreign cyber attack on U.S. critical infrastructure, but it also physically disabled infrastructure equipment.
Then the story took an even stranger turn, with new reports refuting the original official document submitted by the Illinois STIC. This refutation included input from the Department of Homeland Security (DHS), which released an announcement:
“The Department of Homeland Security and the FBI are gathering facts surrounding the report of a water pump failure in Springfield, Ill. At this time there is no credible, corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety,” said Peter Boogaard, spokesman for DHS.
Exploiting SCADA Control Systems to Attack Large, Industrial Infrastructures
Let’s take a step back and actually look at some of the issues that may, or may not, have occurred. As my colleague Frank Gifford published earlier this year, SCADA protocols are based on IEC 104. IEC 104 is a protocol that transmits data measurements from monitoring devices, like those used by water pump utilities, across an industrial control system. The protocol can encode a wide variety of information in a number of different formats from multiple devices.
In the case of the Springfield water pump, a hacker (allegedly, depending on whom you talk with) gained access to this system by first exploiting the network of the software vendor that supplied the SCADA system used by the utility. Then, with stolen usernames and passwords, the hacker accessed the remote network to gain access to the utility’s network and caused the system to turn on and off repeatedly, until the water pump burned out.
Software vendors of SCADA systems often have the customer’s credentials on their network in order to provide support, maintenance and upgrades to the systems. Unfortunately, this information was exploited. Although this is not the first breach of a utility system, it is the first reported (or not) SCADA attack on an industrial control system.
But Did the Attack Really Happen?
As I mentioned before, the DHS is now saying that the attack is not confirmed and they are downplaying the significance. Wired has also published new articles with their own take on what happened, and conspiracy theorists abound on what the truth is.
The hacker himself, named “prof,” claimed to have infiltrated another drinking water utility in Texas the very next day and took screenshots of the Texas system to prove he had succeeded in hacking the water utility in Illinois. He also released an “official” statement: “I wouldn’t even call this a hack. …This required almost no skill and could be reproduced by a 2-year-old with a basic knowledge of Simatic.”
The most recent report from Wired then explained what really happened was a comedy of errors. In short, an employee of one of the SCADA system vendors was vacationing in Russia and logged in to the system to help troubleshoot an issue – which eventually snowballed into America’s own Stuxnet attack.
Many are frustrated by the conflicting reports from government agencies, but nobody can deny that these kinds of cyber attacks, no matter how “easy,” are a big deal. Or as L. Vance Taylor of Security Debrief put it, this attack is a “game changer.”
Mitigating Risks and Validating Security of Critical Infrastructure
Why is it a “game changer”? It’s simple, really. In order to increase operational efficiency, electrical, natural gas, and water utilities throughout the country have become connected and automated. But this interconnectedness increases risks of hackers exploiting critical infrastructure vulnerabilities. Fortunately and unfortunately, nearly all of these systems have one thing in common: SCADA. The reason that’s fortunate is that you know what to test in order to harden your infrastructure.
A quote from Frank’s post on IEC 104:
This protocol would generally be used where the measurement devices themselves are not connected to the outside world, which limits potential hacking. To attack these devices, a hacker would have to get inside your facility or else get a worm onto a computer that interacts with the control system running IEC 104. (I’ll caution you again, as I did in the SCCP blog post, that a cunning attacker could obtain this access in your corporate waiting area as he “applies” for a job.)
This is what appeared to have happened in this case. The hacker easily got access into the system, and then could wreak havoc through IEC 104. Knowing that this could happen at any utility, it makes sense to test these exact scenarios to determine:
- Possible damage from attack
- Early warning signs of an attack
- How to harden defenses internally to deflect attack
For example, Frank’s post depicts specific extreme-case scenarios you can test for to ensure you have data to quantify the exact amount of traffic that overloads the servers to their breaking point. He also reviews some of the backdoor methods hackers can use to gain access to one of these critical infrastructure networks. All of this information is available to you within our network security testing products as well.
Keeping Cyber Security at the Forefront
And just when you think the story of the water pump cyber attack is over, Information Age has reported that the FBI admitted to hackers accessing three different cities' SCADA systems recently, although they did not specify which U.S. cities were targeted. According to Michael Welch, the assistant director of the FBI's Cyber Division:
"We just had a circumstance where we had three cities, one of them a major city within the U.S., where you had several hackers that made their way into SCADA systems," said Welch at the Flemings Cyber Security Conference in London.
Welch did not clarify if this was in regards to the Springfield, Illinois water pump - so the jury is still out on what really happened. Regardless, although this time it may have been a misunderstanding or perhaps an actual occurance, we know there will be a next time. The best way to get ready is to test using these exact scenarios. Check out some of the resources we’ve supplied below to get you started.
Related Links:
Mobile Malware and SCADA Testing Updates
