Foreign cyber attack hits US infrastructure: expert

Nov 19, 2011
A man uses a laptop computer at a wireless cafe. A cyber strike launched from outside the United States hit a public water system in the Midwestern state of Illinois, an infrastructure control systems expert said on Friday.

A cyber strike launched from outside the United States hit a public water system in the Midwestern state of Illinois, an infrastructure control systems expert said on Friday.

"This is arguably the first case where we have had a hack of from outside the United States that caused damage," Applied Control Solutions managing partner Joseph Weiss told AFP.

"That is what is so big about this," he continued. "They could have done anything because they had access to the master station."

The Illinois Statewide Terrorism and Intelligence Center disclosed the cyber assault on a public water facility outside the city of Springfield last week but attackers gained access to the system months earlier, Weiss said.

The network breach was exposed after cyber intruders burned out a pump.

"No one realized the hackers were in there until they started turning on and off the pump," according to Weiss.

The attack was reportedly traced to a computer in Russia and took advantage of account passwords stolen during a hack of a US company that makes Supervisory Control and Data Acquisition (SCADA) software.

There are about a dozen or so firms that make SCADA software, which is used around the world to control machines in industrial facilities ranging from factories and to nuclear power and sewage plants.

Stealing passwords and account names from a SCADA software company was, in essence, swiping keys to networks of facilities using the programs to control operations.

"We don't know how many other SCADA systems have been compromised because they don't really have cyber forensics," said Weiss, who is based in California.

The US has downplayed the Illinois cyber attack in public reports, stating that it had seen no evidence indicating a threat to public safety but was investigating the situation.

Word also circulated on Friday that a water supply network in Texas might have been breached in a , according to McAfee Labs security research director David Marcus.

"My gut tells me that there is greater targeting and wider compromise than we know about," Marcus said in a blog post.

"Does this mean that I think it is cyber-Armageddon time?" Marcus continued. "No, but it is certainly prudent to evaluate our systems and ask some questions."

Explore further: Digital dilemma: How will US respond to Sony hack?

add to favorites email to friend print save as pdf

Related Stories

Stuxnet-like virus points to new round of cyber war

Oct 20, 2011

Internet security specialists have warned of a new round of cyber warfare in the form of a computer virus similar to the malicious Stuxnet worm believed to have targeted Iran's nuclear program. ...

Lockheed Martin hit by cyber attack

May 29, 2011

Hackers launched a "significant and tenacious" cyber attack on Lockheed Martin, a major defense contractor holding highly sensitive information, but its secrets remained safe, the company said Saturday.

Cyber raids 'threaten British, US stock markets'

Jan 31, 2011

Stock exchanges in Britain and the United States have enlisted the help of the security services after finding out they were the victims of cyber attacks, The Times newspaper reported on Monday.

Recommended for you

Digital dilemma: How will US respond to Sony hack?

Dec 18, 2014

The detective work blaming North Korea for the Sony hacker break-in appears so far to be largely circumstantial, The Associated Press has learned. The dramatic conclusion of a Korean role is based on subtle ...

UN General Assembly OKs digital privacy resolution

Dec 18, 2014

The U.N. General Assembly has approved a resolution demanding better digital privacy protections for people around the world, another response to Edward Snowden's revelations about U.S. government spying.

Online privacy to remain thorny issue: survey

Dec 18, 2014

Online privacy will remain a thorny issue over the next decade, without a widely accepted system that balances user rights and personal data collection, a survey of experts showed Thursday.

Spain: Google News vanishes amid 'Google Tax' spat

Dec 16, 2014

Google on Tuesday followed through with a pledge to shut down Google News in Spain in reaction to a Spanish law requiring news publishers to receive payment for content even if they are willing to give it away.

User comments : 33

Adjust slider to filter visible comments by rank

Display comments: newest first

Recovering_Human
5 / 5 (3) Nov 19, 2011
Why would these local critical systems be made accessible in any way from beyond small closed networks?
dogbert
Nov 19, 2011
This comment has been removed by a moderator.
FrankHerbert
Nov 19, 2011
This comment has been removed by a moderator.
dogbert
3.7 / 5 (6) Nov 19, 2011
Any theories, dogbert?


Obviously, security is being discarded in favor of convenience.

Recovering Human's question remains valid. Why would you sacrifice security on critical systems?
hyongx
5 / 5 (4) Nov 19, 2011

Why would you sacrifice security on critical systems?


"Hey bro would you pass me that wireless keyboard? and a budwieser?"
"what do you want the keyboard for?"
"well my boss says i gotta turn the pump off at 2am. Like I'm gonna stay there til 2am. As If!"
"no but so whats they keyboard for, dude?"
"Remote desktop, homie!"
*high fives*
fmfbrestel
5 / 5 (6) Nov 19, 2011
@dogbert -- because you dont have the money to hire one controller for each station, workforce dictates remote control. They absolutely should NOT be on the internet, but instead on a closed network -- again costs money to build a fully independent network. In an economic climate with anemic tax revenues, no level of government has the extra money to spend.

The vast majority of all government spending, at all levels, goes to payroll one way or another. In an age of massive budget cuts where should we get the money to fix these problems?

I dont have a solution and dont pretend to, but I think we need to start owning up to seriousness of our situation.
fmfbrestel
not rated yet Nov 19, 2011
Good point Hyonqx - the great majority of all hacks require someone to be careless, not all of this needs to fall on faulty procedures or systems.
FrankHerbert
0.8 / 5 (53) Nov 19, 2011
Any theories, dogbert?


Obviously, security is being discarded in favor of convenience.

Recovering Human's question remains valid. Why would you sacrifice security on critical systems?


Nice dodge. I'll ask again. Any theories dogbert?
Nerdyguy
1 / 5 (1) Nov 19, 2011
Is it my imagination, or has PhysOrg recycled that same photo for several other stories?
Nerdyguy
2.3 / 5 (3) Nov 19, 2011
Those of you suggesting that these systems should be offline or only on small local networks:

The fact is, they're not. We live in a complex, global economy where systems of all kinds are interconnected and where the technical expertise needed to implement and maintain systems is not readily available at all times at all locations on the planet. This doesn't appear to be a problem that will be solved any time soon.

So, can we move past that?
kochevnik
1 / 5 (2) Nov 19, 2011
Another win for libertarian robber-barron wannabies who outsource their security to third-world street urchin posers on freelancer.com. Ryggesogn2 should be livid with excitement!
dogbert
3.7 / 5 (3) Nov 19, 2011
fmfbrestal,

...because you dont have the money to hire one controller for each station, workforce dictates remote control. They absolutely should NOT be on the internet, but instead on a closed network -- again costs money to build a fully independent network. In an economic climate with anemic tax revenues, no level of government has the extra money to spend.


I think it can be argued that the small expenditures to create a closed network is justified when compared to the costs of open access to critical systems, but you can create virtual private networks over a public network for essentially zero extra cost.

There is really no excuse to providing open access to critical systems.
maxcypher
5 / 5 (2) Nov 19, 2011
Right: no excuse. It is due to the laziness of the companies and gov't departments involved that allow open access.
Burnerjack
5 / 5 (2) Nov 19, 2011
If these systems were on closed networks, there would be no need to hire "emergency cyber security consultants" at some exorbitant rate. Allowing the attack to occur FIRST not only "justifies" the added expenditure but also further justifies "homeland security" type measures.
How much simpler it would be to fire those responsible for securing these critical applications for not doing their jobs in the first place. But then, that would be like demanding accountability in government. How crazy is THAT!
ROBTHEGOB
3 / 5 (2) Nov 20, 2011
Our fancy new state-of-the-art city library in Eugene, Oregon has all its lighting and heating controlled from the other side of the country; pretty stupid, I would say. This is a trend, and should be stopped before it gets out of hand.
Nerdyguy
3 / 5 (2) Nov 20, 2011
Another win for libertarian robber-barron wannabies who outsource their security to third-world street urchin posers on freelancer.com. Ryggesogn2 should be livid with excitement!


Actually, this is a standard operating procedure in IT departments around the world. Please take your political views elsewhere.
Nerdyguy
3.7 / 5 (3) Nov 20, 2011
I think it can be argued that the small expenditures to create a closed network is justified when compared to the costs of open access to critical systems, but you can create virtual private networks over a public network for essentially zero extra cost.

There is really no excuse to providing open access to critical systems.


You are truly out of your element here and stating misinformation. There is nothing "small" about the expenditures. There is no possible way to fix this with a closed, off-limits system.

This is not the CIA we're talking about. It's municipal water depts. and they barely have the cash to keep the water pumping.

This can not -- and will not -- be fixed in this manner.

Please move on.

Nerdyguy
1 / 5 (1) Nov 20, 2011
Right: no excuse. It is due to the laziness of the companies and gov't departments involved that allow open access.


Wrong. Read my posts for some enlightenment.
Nerdyguy
2.3 / 5 (3) Nov 20, 2011
Our fancy new state-of-the-art city library in Eugene, Oregon has all its lighting and heating controlled from the other side of the country; pretty stupid, I would say. This is a trend, and should be stopped before it gets out of hand.


Wow, you guys just aren't listening.

This is NOT NEWS.

This is NOT NEW.

This has been going on for about 20 years, and is standard operating procedure for IT departments EVERYWHERE ON THE PLANET.

Other than military, intelligence and other high-security government agencies, NO ONE has all the expertise in-house to do EVERYTHING that might come up.

We need to talk about improving security where and how it is doable, and stop wasting time talking about taking one million or more systems off-line. We are ALL hyper-connected, and it will stay that way.

Now, other than pulling the plug, what ELSE can we do?
Jonny_V
not rated yet Nov 20, 2011
If you have ever worked with the typical blue collar employees, they are generally IT illiterate, so this really doesn't surprise me. Especially since I ran into the same types of issues with warehouse automation systems.
_nigmatic10
3.7 / 5 (3) Nov 20, 2011
So this hack happened because the hackers used months old passwords to gain access? Really? Why is it simple hotels have their network passwords change every month, yet here is a utility company getting hacked by months old stolen passwords. Really? Are the infrastructures in that much of a dark age still?
dogbert
3 / 5 (4) Nov 20, 2011
Nerdyguy,

Wow, you guys just aren't listening.

Are you?

We need to talk about improving security where and how it is doable, and stop wasting time talking about taking one million or more systems off-line. We are ALL hyper-connected, and it will stay that way.

Now, other than pulling the plug, what ELSE can we do?


We can stop saying we cannot do anything.

If remote access is necessary and the network is small, a private network is not prohibitively expensive.

If remote access is necessary and the network much include multiple sites, a virtual private network is not difficult to set up or maintain and is essentially free. That is, since the utility can afford internet access, it can afford a virtual private network.

This story is about a water plant and a burned out water pump. Suppose it was about a dam and gates blocked open?

It is not necessary to subject our critical systems to open access. Criminal incompetence is not excusable.
kevinrtrs
2.9 / 5 (8) Nov 20, 2011
no level of government has the extra money to spend

Interesting that the US government found hundreds of billions of dollars to bale out crooks in the housing/banking rip-off which of course led to huge bonus payouts for the culprits.
So it's merely a matter of priorities.
Nerdyguy
1 / 5 (1) Nov 20, 2011
no level of government has the extra money to spend

Interesting that the US government found hundreds of billions of dollars to bale out crooks in the housing/banking rip-off which of course led to huge bonus payouts for the culprits.
So it's merely a matter of priorities.


Yes and no. The problem described here was almost unheard of even a few years ago. But, even now, it's not really viewed as something with the potential for disastrous consequences. Incorrectly, IMO, but I don't sit on the appropriate legislative committees either. Also, there have been some dollars designated for this kind of thing. But, the majority are being spent on things like physical security at the big nuke plants.
_nigmatic10
3 / 5 (2) Nov 20, 2011
Cycling passwords to at least a nominal change pattern would reduce if not prevent events like this. Not much, if any money needs to be thrown at such a policy.
Skultch
not rated yet Nov 20, 2011
If remote access is necessary and the network much include multiple sites, a virtual private network is not difficult to set up or maintain and is essentially free.


True, but that probably wouldn't have helped here. Remember, they got the logins from a previous hack, which might have included the VPN credentials. Rolling VPN is very expensive.

I'm not really arguing; you make a decent point. However, it's much more complicated than simply slapping a VPN on the remote access problem. Only addressing one flaw will just expose the next weakest link. There's almost no point at only addressing one aspect of security.

And anyway, it looks like all they had to do is replace a pump. A pump that almost certainly costs much less than a thorough independent IT security audit and subsequent upgrade(s). We don't know if they had more critical systems exposed or not.
Skultch
not rated yet Nov 20, 2011
Cycling passwords to at least a nominal change pattern would reduce if not prevent events like this. Not much, if any money needs to be thrown at such a policy.


Can I get a quote for that? Those keychain VPN systems take a lot of manpower to manage and are cost prohibitive if you only have a few remote uses / users, which I assume is the case here.

Maybe they are cheaper now and these yahoos should have known that. I've been out of the security side of IT for a while.
SteveL
not rated yet Nov 20, 2011
There are publically available search engines that can locate internet-facing SCADA systems. SCADA security isn't very robust - you can query repeated password attemps. And, on the people side: processor default passwords are often used or replaced with some innane passord like "11111", "12345" or a local zip code.

More than 5 years ago I saw this same type of hack performed by the US's DHS - also burning up a pump motor by the same method. They were tying to prove a point, but the warnings haven't gotten any traction yet. I have no idea other than another darn government mandate what will get federal, state and local governments to wake up and take proactive measures to secure their systems.

Were I an aggressive nation state and wanted to disable another country pre-invasion, I'd shut down their internet & SCADA systems. 90 days in a first-world nation without monetary flow, commerce, electrical or coordinated defences - an army could walk right in with little resistance.
Skultch
not rated yet Nov 20, 2011
Pumps and the like are relatively easy and cheap to replace, afaik. I'd be more worried about electrical systems' security because of the relatively higher cost and length of production of the high capacity transformers. I don't know how exposed those systems are, however.

I'm mostly just throwing ideas out there, so no need for a heated debate with me. All I'm really saying is that there is a very complicated financial cost/benefit risk analysis that must be done on these systems and budgets, and many posts here are not appreciating that fact.
TheGhostofOtto1923
1 / 5 (1) Nov 20, 2011
We need to talk about improving security where and how it is doable, and stop wasting time talking about taking one million or more systems off-line. We are ALL hyper-connected, and it will stay that way.

Now, other than pulling the plug, what ELSE can we do?
Well, obviously, again the best defense is ATTACK.
Why would these local critical systems be made accessible in any way from beyond small closed networks?
-And why would you locate your pacific fleet out in the middle of the pacific where it couldnt be defended? Perhaps you need something which gives you the moral justification to ATTACK.

Defense is useless. The enemy waits like the lion in the grass, looking for weakness, and attacks when IT is ready.

People long ago learned that the only lasting defense against lions is to hunt them. Any gamer will tell you this.
Skultch
not rated yet Nov 20, 2011
People long ago learned that the only lasting defense against lions is to hunt them. Any gamer will tell you this.


Yep; we've known this for a few years. See Sun Tzu's "The Art of War," or for a more recent example, No Limit Texas Hold'em strategy. Blind attack is usually a high risk. It's better to probe then prepare a crushing counter-attack than to "show your hand" with little intel on the defender's power.

I think it's a bit of a stretch to claim that local municipalities are knowingly giving themselves up as bait. I'm sure Otto has a riveting conspiracy theory at-the-ready, though. :)
TheGhostofOtto1923
1 / 5 (1) Nov 20, 2011
Yep; we've known this for a few years. See Sun Tzu's "The Art of War," or for a more recent example, No Limit Texas Hold'em strategy. Blind attack is usually a high risk. It's better to probe then prepare a crushing counter-attack than to "show your hand" with little intel on the defender's power.
Why I was just thinking this myself. One way to gauge an enemy's potential is to present some tempting targets, like water pumps. Anonymous members were probably stung in this way.
I think it's a bit of a stretch to claim that local municipalities are knowingly giving themselves up as bait.
Depends on who Designs their infrastructure for them.
I'm sure Otto has a riveting conspiracy theory at-the-ready, though. :)
EMPIRE owns everything like Joseph and pharaoh. They do whatever They want with Their possessions. Including us. 8-O
Ricochet
not rated yet Nov 21, 2011
So this hack happened because the hackers used months old passwords to gain access? Really? Why is it simple hotels have their network passwords change every month, yet here is a utility company getting hacked by months old stolen passwords. Really? Are the infrastructures in that much of a dark age still?

That was my exact thought as I read the article and the subsequent posts... How much does it cost to change passwords?
Ricochet
not rated yet Nov 21, 2011
See Sun Tzu's "The Art of War," or for a more recent example, No Limit Texas Hold'em strategy.

Kudos to you. That was just damned funny. And that comes from the heart of a Texas Hold'em enthusiast.
SteveL
not rated yet Nov 21, 2011
So this hack happened because the hackers used months old passwords to gain access? Really? Why is it simple hotels have their network passwords change every month, yet here is a utility company getting hacked by months old stolen passwords. Really? Are the infrastructures in that much of a dark age still?

That was my exact thought as I read the article and the subsequent posts... How much does it cost to change passwords?
The price of unemployment for those who don't.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.