18/2079 Cyberattack on an lnois wate tty future tense Did an Illinois Water Utility Come Under a Cyberattack? And why was it connected to the Internet, anyway? By JEFFREY CARR Nov 22, 2011 + 5:34PM W TWEET f SHARE @ comment htpssate.comitechnology!2011/11leyberallack-an-an-ilincis-water-ubity him!srar019 Cyberattack on aa trois water a 27 om Did foreign nationals hack into an Illinois water utility? Tomasz Szymanski/Hemera A danger scenario that national security experts have been warning about has finally happened—at least, according to news headlines. Reports say that a cyberattack carried out by foreign nationals successfully shut down a pump atan Illinois water utility. But is that really what happened? Details about the incident at the Currant-Gardner Public Water District in Springfield, Ill, are sparse. It was brought into the media spotlight by security-conference organizer and researcher Joe Weiss, who has a commercial interest in announcing attacks against so-called “supervisory control and data acquisition” systems. (SCADA systems basically control the automated processes used by water and power companies, plus many other industries.) Here’s what we do know: The Illinois utility experienced a pump failure. The software vendor that supports the utility was hacked, and usernames and passwords were stolen, The hack could have occurred as long as two months before; the exact timeline isn’t clear. With the stolen username and passwords, it’s conceivable that someone was able to access the utility controls and shut down the pump. However, the pump had been experiencing mechanical problems for a while, and the SCADA system logs revealed some unspecified anomalies a few months prior to the event (Update, 5:52 p.m.: Today, the FBI and the Department of Homeland Security announced that they “found no evidence of a cyber intrusion” into the Illinois utility's SCADA system.) What if there really were a cyberattack? Then we have to answer two questions. First: Why burn out a water pump that serves a rural community of fewer than 5,100 people? There are several possible answers, the most likely being that an attacker wanted to demonstrate—to himself, to his, backers, to the world—that it could be done. In fact, that very thing happened to another water utility in Houston on Nov. 18, shortly after the media reported the Illinois story. A hacker named PrOf compromised the SCADA, software used by a South Houston water utility and posted proof attack on Pastebin, a site that hackers use to post stolen usernames, passwords, email addresses, and other content “liberated” from government or other targeted htpssate.comitechnology!2011/11leyboraltack-on-anciincis-water-biy him 28sver019 Cyberatack onan ino water uty. websites, PrOf claimed that the attack was so easy to carry out that he hesitated to even calll ita “hack.” The password the Houston utility used to guard its Siemens Simatic Human Machine Interface software—which gives human operators a visual display of how their water pumps, centrifuges, drilling equipment, robotics, etc, are functioning—consisted of only three characters. This follows a highly publicized demonstration of multiple vulnerabilities in Siemens Simatic software by security researcher Dillon Beresford at the annual Black Hat conference in Las Vegas last summer. Siemens is the world's largest producer of SCADA software, and its customers include everyone from oil drilling rigs to hydroelectric stations to nuclear fuel enrichment plants. The real story behind these simultaneous incidents is that the state of security for the United States’ critical infrastructure is astoundingly poor. The Houston attack, at least, demonstrates that despite the well-publicized risks, utilities and other sensitive organizations haven't secured their systems in the most basic ways. After the potential Illinois attack broke, many casual observers asked our second important question: Why are these important systems hooked up to the Internet in the first place? It’s misleading to say that they're connected to the Web. It makes it sound like the SCADA system has its own website or that the control engineers are playing online games from their desktops. That's not the case. The reality is that in order to save money, the control servers are connected to the same local area network (LAN) as the front office computers, which do have hitpssate.comitechnology/2011/11leyberallack-on-an-iincis-water-biy him aesrar019 Cyberttack onan nos wate uty. Internet access. Therefore, if a bad guy can take over a desktop belonging to the receptionist, for example, he'll very quickly figure out how to connect with the control servers that are part of the same LAN. In order to avoid this from happening, control servers are supposed to be on an entirely separate network. (This is called being “air-gapped.”) However, setting up two completely separate networks can be a very costly exercise, and a lot of small utilities just don’t bother to do it. Removing utilities and other sensitive operations from the Internet wouldn't necessarily ensure perfect security, either. Even if the computer that runs the SCADA software isn’t connected to a network with Internet access, it still has to be serviced by vendors or other company employees. These maintenance tasks are often performed with laptops that are regularly connected to the Internet and may be hosting malware—which in turn could infect the SCADA server, The same thing happens with the use of USB flash drives. Siemens, whose software was exploited via the Stuxnet worm, has yet to fix all of the vulnerabilities that made that attack possible—like hardwired passwords that can’t be changed. In all likelihood, Siemens and other companies will never fix the outrageous vulnerabilities because doing so would be too costly for the company. Profit always trumps security. The critical infrastructure of the United States is 90 percent privately held, and owner companies are required by law to maximize profits or potentially face a shareholder lawsuit. In the coming years, we'll see more incidents like the hitpssate.comitechnology/2011/11leyberallack-on-an-iincis-water-biy him 48srar019 Cyberattack on an lnois wate tty ones in Illinois and Texas—relatively harmless hacks and false alarms that should serve as warnings. Now is the time to heed them. Congress should make it a priority to create a protective legal umbrella for utility companies against shareholder lawsuits if their investment in securing their networks hurts their profitability for one or more years. Losing profits is one thing. But the potential loss of life that could occur through catastrophic system failure at a nuclear power plant or a sustained cascading power failure ina heavily populated region is far worse. This article arises from Future Tense, a collaboration among Arizona State University, the New America Foundation, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter. National Security Help! My Deadbeat Dad Won't Leave Me Alone. Slate Dear Prudence Podcast: Help! My Husband Took a DNA Test. We're First Cousins. Slate My Husband and | Opened Our Marriage. Now | Only Want Sex With the Other Man. State High Paying Jobs are in Blockchain. Don't Waste Time. Enroll Now UupGrad & IIIT-B: PG Diploma in Software Development: Specialisation in Blockchain| Sponsored A Browser that's 200% Faster than Chrome Browserguides.com for Brave| Sponsored hitpssate.comitechnology/2011/11leyberallack-on-an-iincis-water-biy him sesrar019 Cyberattack on an lnois wate tty Get Rs. 50 Lakhs Term Insurance at Just Rs 225*p.m. Buy Now! Covertox.com| Sponsored ‘A Proven Way to Sharpen Young Minds Magle Crate [Sponsored 7 Yoga Poses You Should Do First Thing In The Morning Work + Money| Sponsored Hotels In India At Ridiculously Low Prices ‘Tripsinsider | Sponsored Find Your Ideal Hotel in Singapore. Compare over 200 Booking Sites Worldwide Hotels Singapore | Search Ads [Sponsored 23 People from History Who Look Exactly Like Today's Celebrities Foodelleiouz| Sponsored Indians Born Before 1981 Are Eligible For This Second Income Survey Compare] Sponsored Don't Fly From Calcutta Before You See These Prices Tripbase You Might Not Believe How Cheap Cruises Can Be Cruises | Search Ads |Sponsores Yacht Rental Prices Might Surprise You Yacht Rental | Search Ads | Sponsored Dear Care and Feeding: How Do | Get My Old-School Mom to Support My Millennial Parenting Style? Shate : | Don’t Ever Want My Mom Alone With My Kids. What Should | Tell hitpssate.comitechnology/2011/11leyberallack-on-an-iincis-water-biy him oesrar019 Cyberattack on an lnois wate tty Dear Care and Feeding: My Husband Says I've Neglected My Oldest Since the Baby Came Along. Am | a Bad Mom? Slate 20 Most Beautiful Beaches in the World Best journal.xyz| Sponsored Luxury 5 Star Hotels - Up to Half-Price on Hotels Luxury Hotels | Search Ads [Sponsored hitpssate.comitechnology/2011/11leyberallack-on-an-iincis-water-biy him 7818/2079 Cyberattack on an lnois wate tty Slate is published by The Slate Group, a Graham Holdings Company. Allcontents ® 2019 The Slate Group LLC. llrightsreserved, hitpssate.comitechnology/2011/11leyberallack-on-an-iincis-water-biy him