Russian hackers behind first successful US SCADA system attack

As reportedly previously SCADA – Supervisory Control and Data Acquisition – systems are often used for protecting critical national infrastructure platforms such as energy and telecommunications grids. The systems are usually based around an embedded and robust version of Windows, which makes them resilient against most malware.

The Reuters newswire suggests that the hackers gained access to the systems of a vendor of SCADA control systems and then used the knowledge gained – possibly tapping the use of default IDs and password – to attack and destroy the Illinois water pump system.

“The pump was apparently remotely activated and burnt out, though redundant systems meant no impact was felt by residents of the town”, notes the newswire.

Various agencies – including the Illinois Statewide Terrorism and Intelligence Center, the US Department of Homeland Security and the FBI – are all reportedly investigating the attack.

According to Sophos Canada’s senior security specialist Chester Wisniewski, the attackers may have infiltrated the system starting in September 2011, although the attack wasn't discovered until November 8th this year.

“The notice about the attack noted that it was similar to an attack against the Massachusetts Institute of Technology earlier this year which exploited bugs in the open source software phpMyAdmin”, he said in his weekend report.

Ross Brewer, vice president and managing director of security audit and logging specialist LogRhythm, said there are many people who are sceptical about the damage hackers can inflict on physical infrastructure, stating that the worst they can do is cause irritating interruptions to services.

“However, this incident proves that attacks in cyber space can result physical damage. This cyber attack appears to be part of a developing trend and, like the Stuxnet and Duqu viruses, provides a real-world example of the threat to key national infrastructure that cyber crime presents”, he said.

“The report covering this incident also stated that the water utility had observed repeated glitches in remote access to its SCADA system over a period of two to three months. However, it seems there was no system in place to connect the anomalous network activity, as the attack clearly achieved its objective”, he added.

Brewer went on to say that it is now clear that organisations need centralised, automated monitoring systems in place in order to detect these kinds of anomalies as they occur.

“These systems provide the traceability needed to identify patterns in seemingly unrelated incidents and generate early warning alerts so that damage limitation strategies can be enacted before any destruction of national infrastructure can occur”, he explained.

Claire Sellick, event director for the Infosecurity Europe show, meanwhile, said that the saga highlights the very real dangers that hackers now pose to everyone in society.

“The prospect of water systems being remotely compromised by hackers does not bear thinking about, as our society relies on water for factories and everyday mundane chores such as washing and showering. And of course, everyone drinks water, so the prospect of our domestic or office water supply being flooded with chemicals - released en-masse by the hackers - does not bear thinking about,” she said.

“More than anything, these reports highlight the need for better education on IT security amongst organisations of all sizes. If the IT staff at the software vendor that is alleged to have been hacked understood the reason why their systems needed to be better defended, then it’s likely this high-level compromise would not have happened,” she added.

Sellick went on to say that, in accessing the vendor’s systems, the hackers would have been able to work out what IDs and passwords would be likely to work on SCADA-connected water utility company systems.

And it’s against this backdrop, Sellick notes, that a central focus of the Infosecurity Europe show is dedicated to providing the highest level of free education to attendees.

“Next year’s show - which takes place at London’s Earl’s Court exhibition centre from the 24th to the 26th of April - will offer a variety of education facilities, offering a range of high quality, multi-format methods of delivering education and training to visitors to meet all possible educational needs,” she said.


What’s Hot on Infosecurity Magazine?