Cyber-Attackers Breach SCADA Network, Destroy Pump at Water Utility

Hackers breached the network at a water utility in Springfield, Ill. and destroyed a pump, according to a post on the Wired Threat Level blog.

Cyber-attackers gained remote access into the control systems used by the city water utility in Springfield, Ill. on Nov. 8, a security expert told Wired. A water district employee noticed the supervisor control and data acquisition (SCADA) systems used in the facility kept turning on and off, causing the attached water pump to burn out, according to the report.

Joe Weiss, a managing partner of Applied Control Solutions, told Wired he learned of the incident from a Nov. 10 report issued by the Illinois Statewide Terrorism and Intelligence Center, a state government agency. The "Public Water District Cyber Intrusion" report did not name the compromised utility or the SCADA system vendor.

Weiss noted that the incident has not been disclosed by the Water Information Sharing and Analysis Center, the Department of Homeland Security's Daily unclassified report, by the DHS Industrial Control System-Cyber Emergency Response Team or other government and industry security groups.

"None of the water utilities I have spoken to were aware of it," Weiss said, noting the fact that the lack of notification was as "big a deal" as the attack itself.

The attack originated from IP addresses based in Russia, although with proxies and other routing technologies, that doesn't necessarily mean the attackers were based out of that country. The intruders first hacked into the network of the vendor that makes the SCADA system used by the utility and stole customer usernames and passwords, Weiss posted on his blog. The stolen credentials were then used to remotely connect to the utility itself to target the equipment within the facility.

The attack is likely to have lasted for at least two to three months before it was discovered, since operators had noticed "glitches" in the system, the state report found. The nature of those glitches remained unclear.

It is also unknown whether other SCADA systems at other water utilities have been attacked, Weiss said.

"My gut tells me that there is greater targeting and wider compromise than we know about," said David Marcus, director of security research at McAfee. Many of these infrastructure facilities do not have cyber-forensics and response procedures necessary to detect these cyber-intrusions, Marcus said.

DHS is currently investigating the incident and has not seen "credible corroborated data" that indicates there was a risk to critical infrastructure, the agency said in a statement.

The Stuxnet worm last year that damaged centrifuges in Iran's nuclear facility spotlighted how vulnerable SCADA systems were to remote attack. "It is really no more difficult to attack a SCADA network or system than it is to attack any other system," Marcus said. It just takes time, specialized knowledge and dedicated resources to develop the attack, much like any other threat vector, he said.

Many of these SCADA systems also don't need to be connected to the Internet in the first place, Mike Geide, a senior security researcher at Zscaler ThreatLabZ, told eWEEK.  To prevent these attacks the users, systems and software should have the least privilege necessary to complete the task and nothing else.

The report comes less than a day after Norway's National Security Agency (NSM) reported that oil , gas and defense firms were hit by a series of sophisticated cyber-attacks. Industrial secrets and sensitive details about contract negotiations have been stolen, NSM said. At least 10 firms have been targeted in the attack in which user names, passwords, industrial drawings, contracts and documents were stolen and taken out of the country.

"We have to suppose that the actual number (of victims) is much higher, but that many (companies) have not been in contact" with authorities, the Norwegian agency said.

The attackers breached the networks using customized email messages sent to specific individuals in the organizations with malware attachments which managed to slip past anti-malware detection systems, according to NSM. The mail had been carefully crafted to look like legitimate messages and tailored for each individual target. They were sent while the companies were in the middle of negotiations over big contracts.

NSM said one group was likely behind all the attacks but did not provide any additional information.