Water System Hack - The System Is Broken

Last week, a disclosure was made about a public water district SCADA system hack. There are a number of very important issues in this disclosure:

• The disclosure was made by a state organization, but has not been disclosed by the Water ISAC, the DHS Daily unclassified report, the ICS-CERT, etc.  Consequently, none of the water utilities I have spoken to were aware of it.
• It is believed the SCADA software vendor was hacked and customer usernames and passwords stolen.
• The IP address of the attacker was traced back to Russia.
• It is unknown if other water system SCADA users have been attacked.
• Like Maroochy, minor glitches were observed in remote access to the SCADA system for 2-3 months before it was identified as a cyber attack.
• There was damage – the SCADA system was powered on and off, burning out a water pump.

There are a number of actions that should be taken because of this incident.

• Provide better coordination and disclosure by the government.
• Provide better information sharing with industry.
• Provide control system cybersecurity training and policies.
• Implement control system forensics.