18/2079 Cyberattack on an lnois wate tty
future tense
Did an Illinois Water Utility Come Under a
Cyberattack?
And why was it connected to the Internet, anyway?
By JEFFREY CARR
Nov 22, 2011 + 5:34PM
W TWEET
f SHARE
@ comment
htpssate.comitechnology!2011/11leyberallack-an-an-ilincis-water-ubity him!srar019
Cyberattack on aa trois water
a 27 om
Did foreign nationals hack into an Illinois water utility?
Tomasz Szymanski/Hemera
A danger scenario that national security experts have been warning about
has finally happened—at least, according to news headlines. Reports say
that a cyberattack carried out by foreign nationals successfully shut down a
pump atan Illinois water utility. But is that really what happened?
Details about the incident at the Currant-Gardner Public Water District in
Springfield, Ill, are sparse. It was brought into the media spotlight by
security-conference organizer and researcher Joe Weiss, who has a
commercial interest in announcing attacks against so-called “supervisory
control and data acquisition” systems. (SCADA systems basically control the
automated processes used by water and power companies, plus many other
industries.)
Here’s what we do know: The Illinois utility experienced a pump failure. The
software vendor that supports the utility was hacked, and usernames and
passwords were stolen, The hack could have occurred as long as two months
before; the exact timeline isn’t clear. With the stolen username and
passwords, it’s conceivable that someone was able to access the utility
controls and shut down the pump. However, the pump had been
experiencing mechanical problems for a while, and the SCADA system logs
revealed some unspecified anomalies a few months prior to the event
(Update, 5:52 p.m.: Today, the FBI and the Department of Homeland
Security announced that they “found no evidence of a cyber intrusion” into
the Illinois utility's SCADA system.)
What if there really were a cyberattack? Then we have to answer two
questions. First: Why burn out a water pump that serves a rural community
of fewer than 5,100 people? There are several possible answers, the most
likely being that an attacker wanted to demonstrate—to himself, to his,
backers, to the world—that it could be done. In fact, that very thing happened
to another water utility in Houston on Nov. 18, shortly after the media
reported the Illinois story. A hacker named PrOf compromised the SCADA,
software used by a South Houston water utility and posted proof attack on
Pastebin, a site that hackers use to post stolen usernames, passwords, email
addresses, and other content “liberated” from government or other targeted
htpssate.comitechnology!2011/11leyboraltack-on-anciincis-water-biy him 28sver019 Cyberatack onan ino water uty.
websites, PrOf claimed that the attack was so easy to carry out that he
hesitated to even calll ita “hack.” The password the Houston utility used to
guard its Siemens Simatic Human Machine Interface software—which gives
human operators a visual display of how their water pumps, centrifuges,
drilling equipment, robotics, etc, are functioning—consisted of only three
characters. This follows a highly publicized demonstration of multiple
vulnerabilities in Siemens Simatic software by security researcher Dillon
Beresford at the annual Black Hat conference in Las Vegas last summer.
Siemens is the world's largest producer of SCADA software, and its
customers include everyone from oil drilling rigs to hydroelectric stations to
nuclear fuel enrichment plants.
The real story behind these simultaneous incidents is that the state of
security for the United States’ critical infrastructure is astoundingly poor.
The Houston attack, at least, demonstrates that despite the well-publicized
risks, utilities and other sensitive organizations haven't secured their
systems in the most basic ways. After the potential Illinois attack broke,
many casual observers asked our second important question: Why are these
important systems hooked up to the Internet in the first place?
It’s misleading to say that they're connected to the Web. It makes it sound
like the SCADA system has its own website or that the control engineers are
playing online games from their desktops. That's not the case. The reality is
that in order to save money, the control servers are connected to the same
local area network (LAN) as the front office computers, which do have
hitpssate.comitechnology/2011/11leyberallack-on-an-iincis-water-biy him aesrar019
Cyberttack onan nos wate uty.
Internet access. Therefore, if a bad guy can take over a desktop belonging to
the receptionist, for example, he'll very quickly figure out how to connect
with the control servers that are part of the same LAN. In order to avoid this
from happening, control servers are supposed to be on an entirely separate
network. (This is called being “air-gapped.”) However, setting up two
completely separate networks can be a very costly exercise, and a lot of
small utilities just don’t bother to do it.
Removing utilities and other sensitive operations from the Internet wouldn't
necessarily ensure perfect security, either. Even if the computer that runs
the SCADA software isn’t connected to a network with Internet access, it
still has to be serviced by vendors or other company employees. These
maintenance tasks are often performed with laptops that are regularly
connected to the Internet and may be hosting malware—which in turn could
infect the SCADA server, The same thing happens with the use of USB flash
drives.
Siemens, whose software was exploited via the Stuxnet worm, has yet to fix
all of the vulnerabilities that made that attack possible—like hardwired
passwords that can’t be changed. In all likelihood, Siemens and other
companies will never fix the outrageous vulnerabilities because doing so
would be too costly for the company. Profit always trumps security. The
critical infrastructure of the United States is 90 percent privately held, and
owner companies are required by law to maximize profits or potentially face
a shareholder lawsuit. In the coming years, we'll see more incidents like the
hitpssate.comitechnology/2011/11leyberallack-on-an-iincis-water-biy him 48srar019
Cyberattack on an lnois wate tty
ones in Illinois and Texas—relatively harmless hacks and false alarms that
should serve as warnings. Now is the time to heed them.
Congress should make it a priority to create a protective legal umbrella for
utility companies against shareholder lawsuits if their investment in
securing their networks hurts their profitability for one or more years.
Losing profits is one thing. But the potential loss of life that could occur
through catastrophic system failure at a nuclear power plant or a sustained
cascading power failure ina heavily populated region is far worse.
This article arises from Future Tense, a collaboration among Arizona State
University, the New America Foundation, and Slate. Future Tense explores
the ways emerging technologies affect society, policy, and culture. To read
more, visit the Future Tense blog and the Future Tense home page. You can
also follow us on Twitter.
National Security
Help! My Deadbeat Dad Won't Leave Me Alone.
Slate
Dear Prudence Podcast: Help! My Husband Took a DNA Test. We're First Cousins.
Slate
My Husband and | Opened Our Marriage. Now | Only Want Sex With the Other Man.
State
High Paying Jobs are in Blockchain. Don't Waste Time. Enroll Now
UupGrad & IIIT-B: PG Diploma in Software Development: Specialisation in Blockchain| Sponsored
A Browser that's 200% Faster than Chrome
Browserguides.com for Brave| Sponsored
hitpssate.comitechnology/2011/11leyberallack-on-an-iincis-water-biy him sesrar019 Cyberattack on an lnois wate tty
Get Rs. 50 Lakhs Term Insurance at Just Rs 225*p.m. Buy Now!
Covertox.com| Sponsored
‘A Proven Way to Sharpen Young Minds
Magle Crate [Sponsored
7 Yoga Poses You Should Do First Thing In The Morning
Work + Money| Sponsored
Hotels In India At Ridiculously Low Prices
‘Tripsinsider | Sponsored
Find Your Ideal Hotel in Singapore. Compare over 200 Booking Sites Worldwide
Hotels Singapore | Search Ads [Sponsored
23 People from History Who Look Exactly Like Today's Celebrities
Foodelleiouz| Sponsored
Indians Born Before 1981 Are Eligible For This Second Income
Survey Compare] Sponsored
Don't Fly From Calcutta Before You See These Prices
Tripbase
You Might Not Believe How Cheap Cruises Can Be
Cruises | Search Ads |Sponsores
Yacht Rental Prices Might Surprise You
Yacht Rental | Search Ads | Sponsored
Dear Care and Feeding: How Do | Get My Old-School Mom to Support My Millennial Parenting
Style?
Shate
: | Don’t Ever Want My Mom Alone With My Kids. What Should | Tell
hitpssate.comitechnology/2011/11leyberallack-on-an-iincis-water-biy him oesrar019 Cyberattack on an lnois wate tty
Dear Care and Feeding: My Husband Says I've Neglected My Oldest Since the Baby Came
Along. Am | a Bad Mom?
Slate
20 Most Beautiful Beaches in the World
Best journal.xyz| Sponsored
Luxury 5 Star Hotels - Up to Half-Price on Hotels
Luxury Hotels | Search Ads [Sponsored
hitpssate.comitechnology/2011/11leyberallack-on-an-iincis-water-biy him
7818/2079 Cyberattack on an lnois wate tty
Slate is published by The Slate Group, a Graham Holdings Company.
Allcontents ® 2019 The Slate Group LLC. llrightsreserved,
hitpssate.comitechnology/2011/11leyberallack-on-an-iincis-water-biy him