While putting industrial systems on the Internet may make it easier to manage and monitor them remotely, they are also exposing critical infrastructure to cyber-attacks.
Security professionals have
been sounding the alarm about protecting critical infrastructure from
cyber-attackers for a while, and recent incidents show that attacks are very
Shortly after reports
emerged of cyber-attackers breaching
a city water utility
network in Springfield, Ill., and damaging a water
pump, another hacker, going by the name "pr0f" targeted a city water
utility in South Houston, Texas, to show how easy it was to compromise the
industrial-control systems at these facilities. He posted screenshots purported
to be taken after breaching the system, but there is no definitive way to look
at the images and ascertain whether they are legitimate, Andre Eaddy, director
of cyber-security portfolio services at Unisys, told eWEEK.
However, even without
additional details on what happened in the attack at the Illinois facility or
the South Houston plant, attacks against critical infrastructure need to be
taken seriously, Eaddy said.
"Without a question,
this was not an isolated event. There will be other events to follow,"
There was no harm done to
the sewer system, and the supervisory control and data acquisition (SCADA)
system has been taken offline, South Houston Mayor Joe Soto told the Houston
. Pr0f claimed to have steered clear of causing any damage,
calling such vandalism "stupid and silly."
Pr0f also blamed the utility
for connecting SCADA systems to the Internet. In subsequent interviews
, pr0f claimed the
facility was running Siemens Simatic human-machine interface software that was
accessible from the Internet and was protected with a password only three
"I wouldn't even call
this a hack, either, just to say. This required almost no skill and could be
reproduced by a two-year old with a basic knowledge of Simatic," he wrote
in a post on Pastebin,
Hooking up SCADA systems to
the Internet is not a security "best practice," Eaddy said, but there
are a number of reasons a business might decide to do so, such as the convenience
of being able to remotely monitor and manage the facility. Whether the business
reason is worth the risk, depends on the organization's tolerance level, he
Utility companies have the
responsibility to ensure their systems are reasonably secure and not to engage
in "sub-par, risky practices," such as running outdated software or
using applications known to be insecure, according Eaddy. Hackers aren't
necessarily crafting exotic exploits or customizing new attacks, as they can
target known vulnerabilities in programs that haven't been fixed, he said.
These aren't zero-day bugs, but rather issues that people have known about for
a long time, according to Eaddy.
"I dislike, immensely,
how the DHS tends to downplay" the weaknesses of the national infrastructure,
the hacker wrote on Pastebin,
claiming that the South Houston breach was spurred in part to show that the
Springfield attack was not an unusual incident.
According to a security
, who had access to portions of the report issued by the Illinois
Statewide Terrorism and Intelligence Center about the attack in Springfield,
the water utility was running a copy of phpMyAdmin, a popular Web-based
database administration tool.
The attack was similar to a
recent compromise of servers at the Massachusetts Institute of Technology
earlier this month, the Illinois state agency wrote in the report. "The
water district's attack and the MIT attack both had references to phpMyAdmin in
the log files of the computer systems," the report said.
According to the National
Vulnerability Database, phpMyAdmin has over 100 reported security
vulnerabilities. Chester Wisniewski, a senior security advisor at Sophos, said
he used to use phpMyAdmin on a personal site but uninstalled it four years ago
because the software was too insecure for a "play" site.
It is becoming a common
practice to connect sensitive critical infrastructure to the Internet and use
off-the-shelf software to manage them for convenience and to keep costs low,
"but this is bordering on criminally negligent when you are responsible
for our water, power, gas and other sensitive utilities," Wisniewski wrote
on the Naked Security blog.
"The Department of
Homeland Security needs to do a top-down audit of these systems and mandate
that these insecure practices come to an end," Wisniewski said.
Eaddy also said that it was
important for industry-focused information sharing and analysis centers to do a
"better job" reporting and disclosing incidents as they occur.