There is a saying among water industry experts: “If you lose power, you light a candle. If you lose water, you move.”
Indeed, there are few things more important to a functioning society than access to clean water. Because the infrastructure that supports it is so critical, it is an important consideration in America’s homeland security efforts.
Recently, a flurry of news reports have covered a cyber attack that caused disruption at an Illinois water utility. Most reports were based on a blog post by Joe Weiss, an expert on critical infrastructure and cyber attacks. In his post, Weiss cites a “disclosure” from the Illinois Statewide Terrorism and Intelligence Center about a water system cyber attack.
According to Weiss’ post, the hacker (with a Russian IP address) stole credentials from a company that offers Supervisory Control and Data Acquisition (SCADA) systems and used that information to access the Illinois water utility. The attack repeatedly turned a water pump on and off, eventually breaking it. The incident is being investigated by the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). DHS’ Peter Boogaard said of the investigation:
“DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield, Illinois. At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”
[Wired has since confirmed that the “hack” was not a hack at all, and the whole story can be read here. The following words about the vulnerability of SCADA systems and water utilities, however, still apply. – Ed.]
But that is not the end of the story. Boogaard’s comments, seeming to downplay the incident, spurred another hacker – self-named “pr0f” – to penetrate a South Houston water utility to show how easily it could be done. Pr0f posted screenshots of diagrams, presumably taken from the utility.
“No damage was done to any of the machinery; I don’t really like mindless vandalism. It’s stupid and silly,” pr0f wrote in a post on Pastebin, revealing his hack. “On the other hand, so is connecting interfaces to your SCADA machinery to the Internet. I wouldn’t even call this a hack, either…This required almost no skill and could be reproduced by a two-year-old with a basic knowledge of Simatic.”
Cyber protection for SCADA systems – which are used to control critical infrastructure like water and power – has long been a homeland issue, and few in the utility industries would claim SCADA systems are hack proof. Quite the opposite.
“The SCADA system is the soft underbelly of the [water] sector,” says Vance Taylor, a water security expert and principal at Catalyst Partners. “What we’re seeing now is that you can remotely cause physical damage or destruction of the physical components of the system. If you were to take down a critical aspect of the system, you could cause a major denial of service.”
These hacks exploited weaknesses in the SCADA systems that remotely access the utility components. Generators, chlorine feeds, intake valves, pump stations and more – all these are essential to U.S. water systems, and cyber attacks could disrupt them all. The damage would not only hinder water utility operations; it could have significant cascading effects both locally, where the attack occurs, and on a national level.
Taylor noted that losing access to clean water means many other public systems will be affected, including airports, hospitals, manufacturing plants, fire systems, HVAC systems and others. Further, some utility components, such as generators, cannot be replaced overnight. If destroyed, they could take months to deliver and implement, leaving the utility inoperable for an extended time, compounding the damage.
“With a major contamination or denial of service in a metro area, not only would you have public health consequences, but you would damage the public psyche,” says Taylor. “Can you imagine living in a society having to wonder whether it’s safe to drink the tap water?”
With these incidents, it is not what did happen but what could have happened. The disruption of a single pump in Illinois may not have deterred the utility’s service, but the means by which the pump was disrupted proves a greater vulnerability in U.S. critical infrastructure.
A DHS National Cybersecurity and Communications Integration Center bulletin released in September this year reviews the threat to control systems posed by the hacking collective Anonymous. The bulletin finds that while members of Anonymous have shown interest in attacking control systems, they have not yet demonstrated the capability to do so. Anonymous is able, however, “to impact aspects of critical infrastructure that run on common, internet accessible systems,” such as the South Houston utility pr0f hacked.
While Anonymous and other hackers may not be able to significantly disrupt or destroy critical infrastructure (yet), the threat is evident and the target clear. And there are many hackers around the world who do not count themselves among Anonymous and could have state-sponsorship, giving them the resources to do serious damage.
“What keeps us awake at night is going up against the type of sophisticated hackers who have infiltrated the likes of NASA and international banks, both of which have enormous amounts of money and know-how to tackle this problem,” says Michael Arceneaux, Managing Director at the Water Information Sharing and Analysis Center (WaterISAC).
SCADA systems can be penetrated – that is known. If they are so exposed to malicious action, however, why then have we not seen more of these kinds of attacks?
“I think we’ve been lucky,” says Taylor. “It’s not that we have in any way eliminated the vulnerability so much as we have been fortunate not to have anybody make a concerted effort to go after it. Pr0f hacked [the South Houston utility] within 24 hours of reading that DHS quote. I think that is telling about just how vulnerable our systems are.”
In terms of what should be done, this boils down to the same ongoing discussions about how to improve America’s cyber readiness. The question: On whom does the onus lie for upping our cybersecurity and protecting our critical infrastructure from cyber threats, the private sector or the government? Arceneaux says both.
“The private sector, with the intelligence support and expertise of federal security agencies, is what drives cybersecurity protections,” he says. “But there’s a federal role, too. There needs to be a strong private-sector-federal collaboration in cyber security, and it will take significant investments in research and training to enhance protections.”