Did an Illinois Water Utility Come Under a Cyberattack?
And why was it connected to the Internet, anyway?
A danger scenario that national security experts have been warning about has finally happened—at least, according to news headlines. Reports say that a cyberattack carried out by foreign nationals successfully shut down a pump at an Illinois water utility. But is that really what happened?
Details about the incident at the Currant-Gardner Public Water District in Springfield, Ill., are sparse. It was brought into the media spotlight by security-conference organizer and researcher Joe Weiss, who has a commercial interest in announcing attacks against so-called “supervisory control and data acquisition” systems. (SCADA systems basically control the automated processes used by water and power companies, plus many other industries.)
Here’s what we do know: The Illinois utility experienced a pump failure. The software vendor that supports the utility was hacked, and usernames and passwords were stolen. The hack could have occurred as long as two months before; the exact timeline isn’t clear. With the stolen username and passwords, it’s conceivable that someone was able to access the utility controls and shut down the pump. However, the pump had been experiencing mechanical problems for a while, and the SCADA system logs revealed some unspecified anomalies a few months prior to the event. (Update, 5:52 p.m.: Today, the FBI and the Department of Homeland Security announced that they “found no evidence of a cyber intrusion” into the Illinois utility’s SCADA system.)
What if there really were a cyberattack? Then we have to answer two questions. First: Why burn out a water pump that serves a rural community of fewer than 5,100 people? There are several possible answers, the most likely being that an attacker wanted to demonstrate—to himself, to his backers, to the world—that it could be done. In fact, that very thing happened to another water utility in Houston on Nov. 18, shortly after the media reported the Illinois story. A hacker named Pr0f compromised the SCADA software used by a South Houston water utility and posted proof attack on Pastebin, a site that hackers use to post stolen usernames, passwords, email addresses, and other content “liberated” from government or other targeted websites. Pr0f claimed that the attack was so easy to carry out that he hesitated to even call it a “hack.” The password the Houston utility used to guard its Siemens Simatic Human Machine Interface software—which gives human operators a visual display of how their water pumps, centrifuges, drilling equipment, robotics, etc. are functioning—consisted of only three characters. This follows a highly publicized demonstration of multiple vulnerabilities in Siemens Simatic software by security researcher Dillon Beresford at the annual Black Hat conference in Las Vegas last summer. Siemens is the world’s largest producer of SCADA software, and its customers include everyone from oil drilling rigs to hydroelectric stations to nuclear fuel enrichment plants.
The real story behind these simultaneous incidents is that the state of security for the United States’ critical infrastructure is astoundingly poor. The Houston attack, at least, demonstrates that despite the well-publicized risks, utilities and other sensitive organizations haven’t secured their systems in the most basic ways. After the potential Illinois attack broke, many casual observers asked our second important question: Why are these important systems hooked up to the Internet in the first place?
It’s misleading to say that they’re connected to the Web. It makes it sound like the SCADA system has its own website or that the control engineers are playing online games from their desktops. That’s not the case. The reality is that in order to save money, the control servers are connected to the same local area network (LAN) as the front office computers, which do have Internet access. Therefore, if a bad guy can take over a desktop belonging to the receptionist, for example, he’ll very quickly figure out how to connect with the control servers that are part of the same LAN. In order to avoid this from happening, control servers are supposed to be on an entirely separate network. (This is called being “air-gapped.”) However, setting up two completely separate networks can be a very costly exercise, and a lot of small utilities just don’t bother to do it.
Removing utilities and other sensitive operations from the Internet wouldn’t necessarily ensure perfect security, either. Even if the computer that runs the SCADA software isn’t connected to a network with Internet access, it still has to be serviced by vendors or other company employees. These maintenance tasks are often performed with laptops that are regularly connected to the Internet and may be hosting malware—which in turn could infect the SCADA server. The same thing happens with the use of USB flash drives.
Siemens, whose software was exploited via the Stuxnet worm, has yet to fix all of the vulnerabilities that made that attack possible—like hardwired passwords that can’t be changed. In all likelihood, Siemens and other companies will never fix the outrageous vulnerabilities because doing so would be too costly for the company. Profit always trumps security. The critical infrastructure of the United States is 90 percent privately held, and owner companies are required by law to maximize profits or potentially face a shareholder lawsuit. In the coming years, we’ll see more incidents like the ones in Illinois and Texas—relatively harmless hacks and false alarms that should serve as warnings. Now is the time to heed them.
Congress should make it a priority to create a protective legal umbrella for utility companies against shareholder lawsuits if their investment in securing their networks hurts their profitability for one or more years. Losing profits is one thing. But the potential loss of life that could occur through catastrophic system failure at a nuclear power plant or a sustained cascading power failure in a heavily populated region is far worse.
This article arises from Future Tense, a collaboration among Arizona State University, the New America Foundation, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.
Jeffrey Carr is the author of Inside Cyber Warfare and the founder/CEO of Taia Global Inc., a cybersecurity consultancy.