Sign in to follow this  
Followers 0
Chris Elston

SCADA System Hacked in the News, Interesting Story

11 posts in this topic

You just don't hear much like this going on out there but take a look at this story: http://www.engadget.com/2011/11/20/water-pump-reportedly-destroyed-by-scada-hackers/ What do you think of this? I am sure they don't have the story right. The picture used in not a SCADA application....

Share this post


Link to post
Share on other sites
i think author just grabbed first picture showing something 'garbled' as most readers are computer illiterate anyway and access to actual site may be restricted. imho, hackers are not main culprits, it is people who designed and those who run the system. something vital as water supply should have undergone some scrutiny before put in operation. the article does not impress me. for example, why is FBI "investigating damage"? aren't they in business of tracking bad guys? i get that they may scrutinize computers involved trying to find any trace of evidence leading to culprits but that is not what article says. so what does FBI know about replacing a pump?

Share this post


Link to post
Share on other sites
Either the hoax grows or this baby is valid. Information Week has picked up the story and says an attack also occurred in South Houston, TX. Take note it was buggy freeware to Admin the SQL which appears to have allowed the breach.

Share this post


Link to post
Share on other sites
Unfortunately it's bound to get worse before it gets better. Here are a few more articles/blogs on it. http://news.cnet.com/8301-1009_3-57327030-83/was-u.s-water-utility-hacked-last-week/ http://scadahacker.blogspot.com/2011/11/hackers-independently-attack-two.html http://www.tofinosecurity.com/blog/scada-security-breached-us-water-utilities

Share this post


Link to post
Share on other sites
Ok. So there is a clear difference between us Controls Engineers and your typical IT (computer based) hackers. We've been typically viewed as the "black magic" of automation, because IT people don't understand PLCs or how to program ladder logic etc. Most of the time all these years there is a definite line in the sand when it comes to Controls Engineers and IT related people. We typically have or carry the knowledge of IT people because we have to know how to network our PLCs, HMIs, and SCADA systems...it's also clear to me that you generally need special software to access automation systems. Such as the Siemens HMI or SCADA system mentioned in the news. Clearly to me, the hackers doing this probably don't have access to the expensive software we use unless they know something about automation already or they obtain the software through some news group alt.binaries warez group, but I don't think your typical IT based hacker would dive into automation and figure out how to hack a SCADA. I think there is some stupidity on the engineer's that are leaving a web page access open with little or no password protection. Generally, this would be the only way an easy access is left open to an automation system is a designed web page access, rather than software or a "typical" hack that most of the world perceives. To all the upcoming Control Engineers out there, we are suppose to be smarter than that, come on guys, think before you design an open web page that gives the world access to an pump on off control through a browser window, or at least in this case, if it's a 3-phase pump motor, write logic in your PLC that prevents the pump from starting and stopping so rapidly or even using a soft-start logic in your PLC....

Share this post


Link to post
Share on other sites
The scary thing is that the hacker community has been producing commoditized toolkits as of recent years. The tools, such as Metasploit, are an attack framework. The authors of the plugins are extremely smart and only have to write their code once. At that point any "script kiddie" can easily download and run it - no technical expertise required. How hard would it be for PHD computer security researches in a lab with PLC X to determine that it can be taken down with this specific type of malformed packet, or reprogrammed without the password? Maybe tough the first time, but dissemination is trivial. What about a SCADA/HMI package? The same thing applies. Once an attacker can run commands as a privileged user (which the process on your Windows SCADA computer is 99% likely to be) - game over. The solution - we're going to have to step up our security posture as a collaborative effort with IT. This involves all those "good practices" that you already know. You'll have to leverage their expertise in creating a strong "Defense in Depth" architecture. I make reference to these issues in my two most recent blog posts. I believe the days are numbered where us controls folk can claim that the system being up is too important and IT doesn't understand it so they shouldn't touch it. We're heading to a point where the availability of the system depends on them properly implementing and maintaining their piece of the puzzle as an enabler for us. This may feel a little uncomfortable initially, but is for the best in the long run. Edited by Nathan

Share this post


Link to post
Share on other sites
Fake story? http://www.washingtonpost.com/world/national-security/federal-officials-find-no-proof-of-cyberattack-on-water-pump-in-illinois/2011/11/23/gIQAx2UlpN_story.html

Share this post


Link to post
Share on other sites
Wow. The story is not fake, but there are apparently people that have no clue what's going on that reported it...just wow...

Share this post


Link to post
Share on other sites
Oh my goodness guys...you will laugh, I promise... And this is Paul Harvey with the "REST OF THE STORY"..... http://www.engadget.com/2011/12/01/man-on-vacation-confused-for-a-russian-spy-almost-restarts-cold/

Share this post


Link to post
Share on other sites
So....the saga continues, who knows if anything really happened , and if it was meant to do harm.

Share this post


Link to post
Share on other sites
Sounds like someone hoping to prove his predictions of bad things coming true. Ethernet security is an important issue, but crying wolf is not going to help. It was a good laugh though. Thanks.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0