Last week the news blogs were filled with information about a second attack on a computer-based supervisory control system (SCADA) at the Curran-Gardner Township Public Water District based near Springfield Ill. The first was the Stuxnet malware targeted at an Iranian nuclear facility that was extensively covered. We wrote about how the Symantec anti-virus researchers decompiled the malware and demonstrated it to us here earlier this summer, and how variants on Stuxnet called Duqu were also found last month floating around European networks.
A second attack was reported by Computerworld last week based in a Houston utility.
The Illinois attack was revealed by SCADA cybersecurity expert Joe Weiss. Writing on his ControlGlobal blog he mentions the specifics. First off, the attacker’s IP address originated in Russia, but that doesn’t necessarily mean anything. There were various “minor glitches” in remote access sessions to the SCADA system that were observed for several months prior to last week’s attack. “The attackers are thought to have obtained the usernames and passwords to the system by first breaking into a computer belonging to the utility’s SCADA software vendor, according to Weiss and subsequent reports.
The ultimate damage inflicted on the utility was a burned out water pump. If these reports were accurate, it would be the first time someone has targeted an industrial facility in the US in this manner. That is a big “if” indeed.
A friend of mine who works as an engineer for another water company told me that they “have very secure systems with firewalls between our SCADA and office net and finance systems. The guys that have access to our SCADA system are set up in 5 layers of rights. Those with access to actually change things have digital keys that reset password codes every few minutes. I suppose that the system in Springfield could be penetrated as they say and running the pump on and off could cause damage. It’ll be interesting to see if that was the case or if someone named Homer Simpson was just eating donuts in Springfield instead of responding to the pump alarms.”
Whether the Springfield utility followed best practices in how it connected its SCADA controllers remains to be seen. While these units use their own firmware and operating systems, typically they are connected via USB to Windows PCs that can be infected with malware. That is indeed how the original Stuxnet attacks started.
Weiss points out that there is a lot of misinformation at this point. There are various agencies that are set up to share reports about these kinds of events, and that few of them have posted anything authoritative yet. And in the Illinois case, there are a variety of state and federal agencies that have to coordinate their activities to handle this kind of attack, and they are still working out the details.
Photo c/o CleanWaterWaste.com.