Water System Hack - The System Is Broken

Last week, a disclosure was made about a public water district SCADA system hack. There are a number of very important issues in this disclosure:
  • The disclosure was made by a state organization, but has not been disclosed by the Water ISAC, the DHS Daily unclassified report, the ICS-CERT, etc.  Consequently, none of the water utilities I have spoken to were aware of it.
  • It is believed the SCADA software vendor was hacked and customer usernames and passwords stolen.
  • The IP address of the attacker was traced back to Russia.
  • It is unknown if other water system SCADA users have been attacked.
  • Like Maroochy, minor glitches were observed in remote access to the SCADA system for 2-3 months before it was identified as a cyber attack.
  • There was damage – the SCADA system was powered on and off, burning out a water pump.

There are a number of actions that should be taken because of this incident.
  • Provide better coordination and disclosure by the government.
  • Provide better information sharing with industry.
  • Provide control system cybersecurity training and policies.
  • Implement control system forensics.
Joe Weiss 
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


  • <p>Joe, at the V-Lab you said someone was killed in an attack against a water system that originated in Russia. Is this what you were referring to? If so, I don't see any mention of an injury or death. </p>


  • <p>A control system cyber incident at a hydro facility in Russia killed more than 70.  There were no injuries or deaths in the Illinois water hack.</p> <p>Joe Weiss </p>


  • <p>You say that a disclosure was made, can you share who made this disclosure and who this disclosure was made to, IE was it a public disclosure or was it made to something secured like DHS HSIN? </p>


  • <p>Are you referring to the hydroelectric plant? No one that I know viewed that as a cyber attack. It was more likely the result of out-dated equipment - typical in the Russian Federation. If you have evidence that it was a cyber attack against the dam, please share! </p>


  • <p> If the "hackers" were able to access the control logic. they would need to have the control software and address logs to determine pump I/O? </p> <p> Also, if they did know all of this, simply turning an output on and off rapidly would surely allow breakers, VFDs, soft starters, motor contactors, thermal overloads etc. etc. to drop out before and an alarm would be set?  </p> <p> It simply doesn`t make sense? Can you imagine the size of this "pump" that distributes to a municipality? And that that size pump would be hard wired to blow if the power is cycled? </p> <p> It sounds like sensationalization to me?  </p>


  • <p>RE:</p> <p class="MsoNormal"> <a href="http://www.washingtonpost.com/world/national-security/water-pump-failure-in-illinois-wasnt-cyberattack-after-all/2011/11/25/gIQACgTewN_story.html">http://www.washingtonpost.com/world/national-security/water-pump-failure-in-illinois-wasnt-cyberattack-after-all/2011/11/25/gIQACgTewN_story.html</a> </p> <p class="MsoNormal"></p> <p class="MsoNormal"> Although good news are well received by everyone reading about the false cyber attack alert (initial alert of a cyber attack at a utility in Springfield of  Illinois reported on November 18) and the evolution of this story, it is still worth of much learning about the Security of Critical Infrastructure, Industrial Control Systems, and specifically SCADA . </p> <p class="MsoNormal"> First, the incident raises questions about the Access Policy to SCADA systems. Is there an Access Policy to the SCADA system that controls the pump? If there is one, the Access Policy should not allow remote control to a device from a laptop, not known IP address, and no vendor access at the customer premises equipment. Utility has to revise its own Access Policy. </p> <p class="MsoNormal"> The access should never be allowed to someone who is away from his designated computer to remotely access a SCADA system. </p> <p class="MsoNormal"> Remote access by vendors to control devices has to be eliminated if possible, or limited and approved by SCADA network administrators. A contractor who travels in personal business should never have accessed a SCADA system from his laptop. The contractors and users need to be trained on how, where, and when to access a SCADA system.   </p> <p class="MsoNormal"> Second, it appears that SCADA systems should be monitored and logging activities should be analyzed in real-time to discover any unusual logging behavior and cyber attack attempts.   </p> <p class="MsoNormal"> Third, logging from remote locations could expose the access credentials (user id, password, certificate or any authentication and authorization mechanisms that were used) to a hacker who could use the credentials for later access. All access credentials to SCADA systems have to be changed to prevent an access to SCADA systems or learning about the access patterns. </p> <p class="MsoNormal"> Fourth, rushed judgments and reporting of a cyber attack without sound (accurate and complete) information could have generated actions that could have had undesirable consequences for the utility and public.  In this case, there should have been more analysis performed by both parties, the state organization that noticed the unusual logging activity and the security expert.   </p>


  • <p> The report is not accurate anymore and it should be updated or removed. It is misleading information about the cyber attack; however, the blog provides some controversial analyses. </p> <p> Please see comment posted to your blog under Lessons and read the report at </p> <p></p> <p class="MsoNormal"> <a href="http://www.washingtonpost.com/world/national-security/water-pump-failure-in-illinois-wasnt-cyberattack-after-all/2011/11/25/gIQACgTewN_story.html">http://www.washingtonpost.com/world/national-security/water-pump-failure-in-illinois-wasnt-cyberattack-after-all/2011/11/25/gIQACgTewN_story.html</a> </p> <p></p>


RSS feed for comments on this page | RSS feed for all comments