Water utility hackers destroy pump, expert says

SCADA breach 'a really big deal'


Updated Hackers destroyed a pump used by a US water utility after gaining unauthorized access to the industrial control system it used to operate its machinery, a computer security expert said.

Joe Weiss, a managing partner for Applied Control Solutions, said the breach was most likely performed after the attackers hacked into the maker of the supervisory control and data acquisition software used by the utility and stole user names and passwords belonging to the manufacturer's customers. The unknown attackers used IP addresses that originated in Russia.

Weiss cited an official government report from the state where the regional water district was located. It was dated November 10, two days after the hack was discovered. The document indicates that the utility had been experiencing unexplained problems with its computerized system in the weeks leading up to the breach.

“Over a period of two to three months, minor glitches had been observed in remote access to the water district's SCADA system,” Weiss said during an interview, in which he read a verbatim portion of the document to The Register. He said that the attackers were able to burn out one of the utility's pumps by causing either the pump or the SCADA system that controlled it to turn on and off “repeatedly.”

Weiss said he obtained the report on the condition that the water utility and the state where it's located aren't disclosed. A statement issued by the US Department of Homeland Security indicated the utility was located in Springfield, Illinois. Weiss published bare-bones details of the hack on Thursday because he wanted to bring attention to an incident he said raised serious concerns about the ability of the US government to secure critical infrastructure.

“This is really a big deal, and what's just as big a deal is what isn't being said or isn't being done,” Weiss said. “What the hell is going on with DHS? Why aren't people being notified?”

He said he's unaware of any water utilities or other SCADA operators who know about the attack.

In an email sent several hours after this article was first published, DHS spokesman Peter Boogaard wrote: "DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield Illinois. At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety."

The Register was unable to verify the claims in the report. A security researcher with no affiliation to Weiss said there was no obvious reason to doubt the attack took place as described.

“It's not surprising,” said Rick Moy, President and CEO of NSS Labs. “These things are connected to the internet in ways they shouldn't be. It's very plausible.”

Over the past few years, the vulnerability of the control systems used to operate power plants, gas refineries, and other industrial systems has been underscored by a variety of events. Chief among them was the Stuxnet computer worm that infiltrated SCADA systems in Iran and disrupted that country's nuclear program. Earlier this year, security researcher Dillon Beresford disclosed bugs in widely used control systems that he said were “far reaching and affect every industrialized nation across the globe.”

More recently, researchers discovered highly sophisticated malware dubbed Duqu had infiltrated at least eight industrial facilities throughout the world by exploiting a previously unknown vulnerability in Microsoft Windows. Some researchers say it was created by people with close ties to Stuxnet.

Weiss said the possibility that attackers of the water utility obtained passwords for multiple customers of the SCADA manufacturer left open the possibility that other industrial facilities are also susceptible or may already have been breached. Many industrial control systems rely on passwords that are hard-coded, making it difficult to change stolen passcodes without causing serious problems.

Weiss said the objectives and identities of the attackers remain a mystery. Possibilities could include a nation state doing reconnaissance, recreational hackers looking for laughs, or a criminal gang setting up an elaborate extortion scheme.

“Until you find who did it, there's no way to know what the motive is,” he said. ®

This article was updated to add comment from DHS.

Follow @dangoodin001 on Twitter.

Similar topics


Other stories you might like

  • Tesla driver charged with vehicular manslaughter after deadly Autopilot crash

    Prosecution seems to be first of its kind in America

    A Tesla driver has seemingly become the first person in the US to be charged with vehicular manslaughter for a deadly crash in which the vehicle's Autopilot mode was engaged.

    According to the cops, the driver exited a highway in his Tesla Model S, ran a red light, and smashed into a Honda Civic at an intersection in Gardena, Los Angeles County, in late 2019. A man and woman in the second car were killed. The Tesla driver and a passenger survived and were taken to hospital.

    Prosecutors in California charged Kevin George Aziz Riad, 27, in October last year though details of the case are only just emerging, according to AP on Tuesday. Riad, a limousine service driver, is facing two counts of vehicular manslaughter, and is free on bail after pleading not guilty.

    Continue reading
  • AMD returns to smartphone graphics with new Samsung chip for your pocket computer

    We're back in black

    AMD's GPU technology is returning to mobile handsets with Samsung's Exynos 2200 system-on-chip, which was announced on Tuesday.

    The Exynos 2200 processor, fabricated using a 4nm process, has Armv9 CPU cores and the oddly named Xclipse GPU, which is an adaptation of AMD's RDNA 2 mainstream GPU architecture.

    AMD was in the handheld GPU market until 2009, when it sold the Imageon GPU and handheld business for $65m to Qualcomm, which turned the tech into the Adreno GPU for its Snapdragon family. AMD's Imageon processors were used in devices from Motorola, Panasonic, Palm and others making Windows Mobile handsets.

    Continue reading
  • Big shock: Guy who fled political violence and became rich in tech now struggles to care about political violence

    'I recognize that I come across as lacking empathy,' billionaire VC admits

    Billionaire tech investor and ex-Facebook senior executive Chamath Palihapitiya was publicly blasted after he said nobody really cares about the reported human rights abuse of Uyghur Muslims in China.

    The blunt comments were made during the latest episode of All-In, a podcast in which Palihapitiya chats to investors and entrepreneurs Jason Calacanis, David Sacks, and David Friedberg about technology.

    The group were debating the Biden administration’s response to what's said to be China's crackdown of Uyghur Muslims when Palihapitiya interrupted and said: “Nobody cares about what’s happening to the Uyghurs, okay? ... I’m telling you a very hard ugly truth, okay? Of all the things that I care about … yes, it is below my line.”

    Continue reading

Biting the hand that feeds IT © 1998–2022