Alleged water utility hack causes confusion
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has given the all-clear: the Illinois water utility flaw which destroyed a pump was apparently not caused by an intrusion after all. However, there are reasons to doubt this reassuring assessment.
An email to the Industrial Control Systems Joint Working Group (ICSJWG) said that after detailed analysis, the US Department of Homeland Security (DHS) and the FBI "have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois." However, the notification that a hacker intruded into the water utility also appeared to originate from official sources. Joe Weiss, the blogger who publicised the incident, said that he got his information from the Illinois State Terrorism and Intelligence Center (STIC).
Security blogger Brian Krebs quotes from the following confidential STIC report:
"Sometime during the day of Nov. 8, 2011, a water district employee noticed problems with a SCADA system. An information technology service and repair company checked the computer logs of the SCADA system and determined the system had been remotely hacked into from an Internet provider address located in Russia."
Talking to a local TV station, the chairman of the affected Curran-Gardner Water District also said that there is evidence of an intrusion into the SCADA system that allowed the pumps to be accessed remotely (the video is also available on Krebs' blog). Weiss wondered how these official sources could have arrived at such conflicting analyses. The blogger expressed concern that the resulting confusion might further delay the steps necessary to protect potentially affected infrastructures.
The situation surrounding the second intrusion into the Texas water utility remains unclear, although the hacker even released screenshots of the SCADA system in question. The ICS-CERT says that the incident is still being investigated. However, regardless of whether there really have been intrusions or even actual vandalism, the fact that SCADA system security is in bad shape is undisputed among experts.
Siemens SIMATIC has repeatedly played a particularly negative role in this context – with Telnet services using a hard-coded user name and password combination, "basisk", or the network connection being given the default password, "100". The Stuxnet worm demonstrated how such vulnerabilities can be exploited: on local networks, it used hard-coded MS-SQL database access credentials to get to WinCC systems and, from there, it proceeded to destroy Uranium enrichment centrifuges.