FBI Admits Attackers Compromised SCADA Systems in Three U.S. Cities

Cyber-attackers recently accessed the critical infrastructure of three cities in the United States by compromising the industrial control systems, a federal law enforcement official said at a security conference.

Unknown perpetrators had compromised the supervisory control and data acquisitions (SCADA) systems monitoring infrastructure in three U.S. cities and could have done a lot of damage, Michael Welch, the deputy assistant director of the Federal Bureau of Investigation's Cyber Division, told attendees at the Flemings Cyber-Security conference in London on Nov. 29. The attacks were a "tease" to law enforcement and city officials saying "I'm here, what are you going to do about it," Welch said, according to a report by Information Age.

Welch did not clarify his remarks as to whether these incidents included the recent reports of an attack that damaged a water pump at a water facility in Springfield, Ill., which the Department of Homeland Security later denied or the breach at a South Houston, Texas, water utility.

The DHS investigated the Springfield incident and said the state agency's report claiming the water pump had been damaged because of a cyber-attack was not a final conclusion and was wrong. The attacker behind the South Houston breach claimed to have hacked into the network to show that it can be down, despite DHS underplaying the seriousness of the issue.

"We just had a circumstance where we had three cities, one of them a major city within the U.S., where you had several hackers that had made their way into SCADA systems within the city," Welch said.

The attackers had control of the city's systems and could have performed a variety of malicious activities, such as dumping raw sewage into the lake and shutting down a power plant at a mall, according to Welch.

The biggest problem facing municipal utilities is that they "underestimate the reality" of cyber-security threats and their relative vulnerability, Patrick Miller, CEO of EnergySec, told eWEEK. EnergySec is a non-profit organization devoted to helping energy sector organizations secure critical technology infrastructure and is supported by the Department of Energy. The utilities think they are too small to be a target, or think they don't have anything of value to a hacker, terrorist or an organized crime ring, according to Miller.

"The assumption is wrong in so many ways" because these smaller utilities are often connected to larger infrastructures and networks, Miller said.

While the threat facing cities through attacks on SCADA systems "has been somewhat exaggerated," the threat is very real and the vulnerabilities have been "underestimated," according to Miller. "Realistically, cities should already be on high alert for SCADA attacks," said Miller.

Utilities often operate an "aging infrastructure" that has been extended beyond its lifespan and often have insufficient staff to manage, according to Miller. Getting funding for new hires or upgrading equipment is a challenge because many utilities have elected officials, and "few elected officials are willing to spend money on equipment and staff that aren’t directly tied to getting or maintaining future votes," Miller said.

Miller was also concerned that the news about SCADA networks in three cities being hacked were not released at a meeting in the U.S. It was possible that the information had already been quietly disclosed to cities with "similar profiles or technologies," which would mean "no public airtime" unless someone leaked the details, said Miller.

It was possible that this was a way of "confirming the breaches without providing the classified information," Miller said.

Miller said the Springfield, Ill. incident highlighted the importance of proper forensics and clear communication. The utility should have investigated the incident thoroughly and the Illinois Fusion Center, who issued the report claiming the cyber-attack on the SCADA system should have indicated the report was still "unconfirmed" or in "preliminary" stages, he said. DHS should also have issued something immediately to indicate the report was still inconclusive.