Print this page

SCADA Vulnerability used in Illinois water plant breach

Rate this item
(0 votes)

Reading time is around minutes.

90Remember when we told you about the SCADA vulnerabilities (here and here)? Well back in August we talked at length about how many of these control systems not only use the default passwords but are connected to the internet. On top of all of these there are a large number that have no high-level security (beyond simple passwords). This puts many of our vital infrastructure services at great risk to compromise from outside parties.

Well it looks like someone actually put a plan into action and has breached a water utility in Springfield Illinois. The attack was tracked back to IP addresses that originate in Russia (although that does not mean that is where the attack was from), and ended up with a burned pout water pump. To accomplish this it appears the attackers, using the connected SADA controls, turned the water pump on and off repeatedly until it burned out.

Now there is more to this incident that meets the eye at first. This latest when taken in context shows an alarming pattern. The first item up for consideration is the Stuxnet worm. This nasty little piece of malware was aimed directly at the command and control systems of infrastructure services (water, power, etc.) in Iran. Tied to this worm were a handful of “stolen” security certificates.  These certificates allow malicious sites to appear legitimate to the unsuspecting web surfer. They can also (as we have found out) be misused to sign the code of malware so that it gets by many security features in modern operating systems.  

After these other incidents a new worm (based off of the same code as Stuxnet) showed up on the scene and managed to get into several global utilities. At the time the purpose of this worm (known as Duqu) was not clear. Some now think it was to gather intelligence on response and also to gain more information about the way infrastructure services operate (Including gathering default user names and passwords on control devices). This is a very plausible scenario as the worm would run for a predefined period of time, transmit encrypted data back to its control servers, and then remove itself.

Now we have what appears to be an attack on a US water utility in Illinois. Although I do not think this is a major effort, I do think that we are seeing proof of concept work for something major. Both the Department of Homeland Security and Federal Bureau of Investigation are currently claiming there is no credible evidence that there is a threat to public safety or to critical infrastructure entities…

I am not sure which ones they are talking about, but I am pretty sure that a breach like this should be a major concern for them and, if nothing else, should prompt companies to remove systems like this from the internet AND their internal networks. Having them on the network might make things easier to manage, but that ease of use works both ways.

Source The Register

Discuss in our Forum

Last modified on Sunday, 20 November 2011 21:32
Sean Kalinich

Latest from Sean Kalinich

Related items