Updated: November 23, 2011
News reports broke on November 18, 2011 (Attack on City Water Station Destroys Pump - Wired) when fellow security specialist Joe Weiss blogged about a report released on November 8, 2011 that a water utility district in Springfield, IL (later identified as Curran-Gardner Public Water District) suffered what looked like a "blended attack". The first phase focused on compromising a supplier's internal system which contained remote access credentials not only the target, but several other yet "unnamed" sites. The second phase allowed the attackers to simply "turn the key and walk in the front door" gaining complete access to the industrial control system. The end result was a failure of one of the process pumps.
DHS, and possibly even the FBI, downplayed the attack, and stated "At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety" in their report. This outraged many, including a twenty-something hacker only known as "pr0f" or @pr0f_sys. As reported on November 18, 2011 (Hacker says he broke into Texas water plant, others - CNET), this attacker then used a completed unrelated attack vector to easily gain access to another water utility in South Houston, TX where he posted several screenshots of the control system on PasteBin. Obviously, he knew what he was doing, and intentionally left the system unafffected. In addition to his initial post, he also wrote a second article on PasteBin providing some insight into what he calls "SCADApocalypse". Interestingly enough, I also came across an interesting PasteBin post on November 3, 2011 by pr0f entitled "Water Metering SCADA" complete with passwords.
So ... when are people going to let us ICS security specialists perform some "light" penetration testing to be an accurate assessment of one's security posture?
Many people were quick to jump on the "disclosure" bandwagon blaming either the control system vendor for not disclosing critical security vulnerabilities, or DHS / ICS-CERT for not disclosing information of the breach. Unfortunately, it is SCADAhacker's view with the limited information that is available that both of these attacks had little to do with the ICS / SCADA vendor, but rather poor security implementation practices by either the owner-operator or the system integrator responsible for commissioning these systems. This is obviously not the end of these types of attacks, and SCADAhacker will continue to provide timely, relevant information to help protect the ICS and SCADA systems used to control our critical infrastructure and manufacturing processes.
All of this information is going to be placed into a case study that will make an excellent module in my 2012 course offered entitled "Understanding and Security Industrial Control Systems".
Threat Post was able to get an interview with pr0f and released a very informative article on November 20, 2011 (Hackers says Texas Town Town used Three Character Password to Secure Internet Facing SCADA System) which provided additional details regarding the target ICS vendor and the poor "3-letter" password which was used to compromise the system(s).
Elinor Mills from CNET posted a new story on November 22, 2011 (DHS Denies Report on Water Utility Hack) in advance of the official DHS announcement that followed the next day in their Information Bulletin ICSB-11-327-01 on the Illinois Water Pump Failure incident, finding no evidence of a cyber breach at the facility. Conveniently enough, it still lacks an explanation of the second attack on the facility in South Houston. In an email to the ICSJWG member, "ICS-CERT is assisting the FBI to gather more information about this incident", which leads me to believe that they have uncovered enough information to further investigate what is most likely an easy penetration of the target systems. Elinor interviewed me, and I provided her with numerous examples of the lack of "urgency" I see when looking at security in the manufacturing sector.
What is most disturbing when reading reports like that from DHS ICS-CERT are comments like "ICS-CERT has not received any additional reports of impacted manufacturers of ICS or other ICS related stakeholders related to these events." It appears that they have not uncovered the vulnerability used by pr0f in his attack, and also does not have the enumeration data which shows several other potential targets! I believe there is a lot more to come regarding this breach.
What appears to be even more interesting in a related event that occurred in New Jersey and published by Homeland Security News Wire on November 21, 2011 that talks about yet another attack on the West Milford water system that has resulted in "shut off power to water systems, opened valves that should have been shut, and thrown a plank of wood into a sewage filtration system." This appears to be a physical attack, but details are still not official.
This story is far from over ... stay tuned for more !!!