By now you probably have heard about the Water Utilities that have reportedly been hacked. But is this the advanced uber world ending SCADA cyber attack that we have all been warned of? You know, the one that ends life as we know it and sends us back to the stone age? No, hate to disappoint, but it is not.
Then, what is it?
“This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this. I’m sorry this ain’t a tale of advanced persistent threats and stuff, but frankly most compromises I’ve seen have been have been a result of gross stupidity, not incredible technical skill on the part of the attacker. Sorry to disappoint.”
Says hacker “Pr0f” in an e-mail interview with Threat Post. Prof allegedly hacked into a South Houston Water plant after becoming frustrated with reports that surfaced after the Illinois Water Plant was attacked:
“My eyes were drawn, nary, pulled, to a particular quote:
‘In an email sent several hours after this article was first published, DHS spokesman Peter Boogaard wrote: “DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield Illinois. At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”‘
This was stupid. You know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely F***** the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done.”
Pr0f said on a post on Pastebin that included pictures allegedly from the South Houston Water Plant (one is used as the graphic for this post as posted on The Register.).
In the Threat Post article, Pr0f claims to have used a “scanner that looks for the online fingerprints of SCADA systems.” Shodan, dubbed the “Google for Hackers” comes to mind. Just surf to Shodan’s website and you are greeted with, “Expose Online Devices.
Webcams. Routers. Power Plants. iPhones. Wind Turbines. Refrigerators. VoIP Phones.”
Power Plants? That is kind of unnerving. But anyone who has used Shodan knows that with the right keyword search many unsecured or lightly secured systems can be found. Pr0f claims that the South Houston site was protected by a three letter password!
This brings up numerous questions that must be asked and answered:
- Why are public utility systems found through simple online searches that are completely or lightly protected? Especially after years of warnings of possible hacker attacks?
- Why haven’t Federal agencies used the same search engines to look for open utilities and locked them down? Does the Federal Government even have a “Red Team” to do this?
- Why would utilities themselves (again after several years of warnings) use a three character or easily guessable password to secure systems available online? Aren’t there rules set for password length and complexity for public utilities?
The press seems to be making this out as the missing links of cyber attacks. The proof needed that an “End of the World” attack is not only possible, but imminent. But so far, the proof available seems to show that this is nothing of the sort.
The closest call that I have ever heard of had nothing to do with hackers. Working in the Oil & Gas sector for a while I heard a nuclear power plant executive engineer tell a harrowing story.
A while ago, an engineer was looking for a gas leak near a Nuclear Power plant control room. He was in an area that has ALL the wires running through it that enter into the control room. He caught the room on fire, but they were able to put it out in time before any wires or controls were damaged.
How did he do this? He was using his lighter as a light to find the gas leak!
Our infrastructure will be much safer if and when utility providers are held to secure their systems, are checked and tested for security regularly and all lighters are banned from vulnerable areas!