November 28, 2011

TechMan: Foreign hack attack on water plant real or imaginary?

Organizational chart of the United States Depa...
Image via Wikipedia
Sunday, November 27, 2011---By Ced Kurtz, Pittsburgh Post-Gazette
If Sir Arthur Conan Doyle were writing this column he might call it, "The Case of the Vanishing Hack."
About a week ago, a report by the Illinois Statewide Terrorism and Intelligence Center said a cyber intrusion into software that controlled the equipment at a rural water plant caused a pump to burn out.
A hack at a podunk water plant that caused no damage would have been little noticed except for a line in a Washington Post story about the incident -- "in what could be the first known foreign cyberattack on a U.S. industrial system."
The story was picked up by wire services and made the front pages of many newspapers.
It was a good story, but had one fatal flaw -- it may not have been true.
Last week, the Department of Homeland Security issued a report outright denying the attack. "After detailed analysis, DHS and the FBI have found no evidence of a cyberintrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Ill.," DHS spokesman Chris Ortman said in a statement provided to CNET.

"There is no evidence to support claims made in initial reports -- which were based on raw, unconfirmed data and subsequently leaked to the media -- that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant. In addition, DHS and FBI have concluded that there was no malicious traffic from Russia or any foreign entities."
In other words: You were wrong and you should have kept your mouth shut.
But control systems expert and security gadfly Joe Weiss, who brought the original report to the attention of the media, is a little incredulous.
"This smells to high holy heaven, because when you look at the Illinois report, nowhere was the word preliminary ever used," Mr. Weiss told the Wired Threat Level blog. He noted that the fusion center -- which comprises Illinois state police as well as representatives from the FBI and DHS -- distributed the report to other infrastructure facilities. "It was just laying out facts. How do the facts all of a sudden all fall apart?"
Ah, the game is afoot, as Sherlock Holmes would say.
One reason the Illinois report was so believable was the amount of detail.
The report said the hackers attacked the supervisory control and data acquisition software (SCADA) at the plant, causing the pump to be turned on and off until it burned out.
It also said the intrusion had been traced to a computer in Russia. And it said the maker of the SCADA software had been hacked to obtain system user names and passwords.
Then a few days later, a hacker took aim at the system behind Houston's water supply and showed how that system could be easily hacked -- without actually doing it. He said the password to the system was only three characters.
Based on recent history, the Illinois report tells a story that wants to be true.
Security experts have been fearing for years that hacker/terrorists would attack the computer systems that control our infrastructure -- water systems, the electricity grid, railway switches, nuclear plants.
SCADA software was built with little thought to security because it was assumed that it would not be on a network.
"But often those things are on networks that increasingly do have paths to the Internet -- even if the path is only via USB drives," Gartner analyst John Pescatore said.
Fear of an infrastructure attack was stoked last year by an attack on a nuclear facility in Iran by the Stuxnet virus. That virus invaded the SCADA software at the Natanz nuclear facility, where thousands of centrifuges spun nuclear materials to concentrate them for use as fuel or in weapons. It is thought the means of entry was USB drives.
Stuxnet varied the speed of the centrifuges, destroying up to a third of them from vibration and setting back Iran's efforts.
Since the attack, the hacker group Anonymous has released the computer code for the Stuxnet virus on the Internet.
Adding to the concern, in September a new worm, named Duqu, turned up that is designed to capture information such as keystrokes and system information. The purloined data may be used to enable a future Stuxnet-like attack. This is exactly what the Illinois report said happened to the SCADA vendor.
So what is going on here? Was Mr. Weiss overzealous? Was there a loose cannon in the Illinois security apparatus?
Is the Department of Homeland Security denying the report for reasons other than its truth?
Whatever the case, it seems clear that an infrastructure attack in this country is not only possible, but likely.
For as Holmes said, "Well, Watson, we seem to have fallen upon evil days."
First published on November 27, 2011 at 12:00 am
read more:
Enhanced by Zemanta