- Attacks on critical infrastructure set worrying precedent for security officials
- Hacked SCADA software also used in nuclear power stations and on oil rigs
- Officials trace attack to computer in Russia
By Graham Smith
Daily Mail
Russian cyber criminals have destroyed a pump used to supply water to thousands of homes in Illinois, according to an infrastructure control systems expert.
Hackers accessed the public water facility in the city of Springfield and are believed to have then broken the pump by remotely turning it on and off in quick succession.
The incident, which took place on November 8, sets a worrying precedent for security officials – particularly after another hacker has since claimed to have taken control of a second U.S. facility.
Hackers using a computer in Russia have accessed an Illinois public water facility and are believed to have then broken the pump by remotely turning it on and off quickly
Joe Weiss, who advises utilities on how to protect themselves against hackers, told the AFP news agency: ‘This is arguably the first case where we have had a hack of critical infrastructure from outside the United States that caused damage.
‘That is what is so big about this. They could have done anything because they had access to the master station.’
The attack, which is being investigated by the FBI and the U.S. Department For Homeland Security (DHS), has been traced to a computer in Russia, Mr Weiss said.
It first came to light after Mr Weiss, of Applied Control Solutions, posted on his blog quotations taken from a one-page report by the Illinois Statewide Terrorism and Intelligence Center.
The report said hackers obtained access using stolen login names and passwords.
These were taken during a hack on a U.S. company that makes Supervisory Control and Data Acquisition (SCADA) software, which is used around the world to control machines in critical industrial facilities.
SCADA software is in place at nuclear power stations and oil rigs; the Illinois infiltration therefore sets a frightening precedent.
Mr Weiss said: ‘We don’t know how many other SCADA systems have been compromised because they don’t really have cyber forensics.’
Further embarrassment: A second hacker has posted this screenshot of the internal control systems for a waste water treatment plant in South Houston
A Twitter profile picture of the South Houston hacker – he claimed said that the water system was only protected by a three-character passwordHe claimed the report said ‘glitches’ in the remote access system for the pump had been notices for months before the pump was destroyed.
‘No one realised the hackers were in there until they started turning on and off the pump,’ he said.
Peter Boogaard, a spokeman for the DHS, said: ‘At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.’
However, a hacker using the online name ‘pr0f’ has responded to Mr Boogaard’s statement by claiming to have taken control of a second U.S. public facility, this time in South Houston, Texas.
Astonishingly, he said that SCADA system was only protected by a three-character password.
To prove his point, he then posted links – on the Pastebin website – to what he claims are screenshots of the internal control systems for the waste water treatment plant.
The issue of securing SCADA systems from cyber attacks made international headlines last year after the mysterious Stuxnet virus attacked a centrifuge at a uranium enrichment facility in Iran.
Many experts said that was a major setback for Iran’s nuclear weapons program and attribute the attack to the U.S. and Israel.
In 2007, researchers at the U.S. government’s Idaho National Laboratories identified a vulnerability in the electric grid, demonstrating how much damage a cyber attack could inflict on a large diesel generator.
Lani Kass, who retired in September as senior policy adviser to the chairman of the U.S. Joint Chiefs of Staff, said America should take the possibility of a cyber attack seriously.
She said: ‘The going in hypothesis is always that it’s just an incident or coincidence. And if every incident is seen in isolation, it’s hard – if not impossible – to discern a pattern or connect the dots.
‘Failure to connect the dots led us to be surprised on 9/11.’
Representative Jim Lanvevin, a Democrat from Rhode Island, said that the report of the attack highlighted the need to pass legislation to improve cyber security of the U.S. critical infrastructure.
He said: ‘The stakes are too high for us to fail, and our citizens will be the ones to suffer the consequences of our inaction.’
