It’s the SCADAPOCALYPSE story they’ve all been waiting for – two water utility systems in the US were apparently hacked. Countless reporters were quick to remind us of STUXNET and to point out the alleged attack was traced to a server in Russia. There were the predictable ‘Why the hell was SCADA connected to the Internet?’ comments after every article.
Few of us really understand SCADA technology, beyond the fact it’s related to critical infrastructure. My own experience is limited to messing about with PLCs, HMIs and small-scale offline industrial systems, so I’m no expert either. But anyone in the information security business will develop a bullshit detector, and for me the indicators are a) unverifiable claims, b) liberal uses of the word ‘cyber’, and c) the absence of specific details.
The story is some hacker(s) acquired login details from a software firm’s database and used them to mess with a water facility, eventually breaking one of the pumps. Whether the attack was traced to a proxy in Russia is irrelevant, especially since we aren’t told the actual IP address.
Nobody’s asking the most important questions here: Which software firm was supposedly compromised? When was it compromised? Are its other clients at risk, and have they been informed? Why did it take months to figure out the system was being interfered with? How many other factors contributed to the incident?
The lack of any real information here can mean one of two things – this is a hoax, or there’s indeed something potentially serious the infosec community aren’t being told about.
Neither is this strictly a SCADA issue. If company bosses put systems online because it’s cheaper and more convenient, that kind of thinking will be applied elsewhere. And it was, if there’s any truth to the story – the water facility was compromised because the login details were pulled from another company’s database. Even a relatively secure SCADA system can be compromised because of shit key management, because of social engineering, because nothing’s been audited, or a host of other reasons within the infosec realm.
Joe Weiss, referenced as an expert on control systems, claims to have read a one page intelligence report which doesn’t name the company that was hacked, can’t be seen by the public, and therefore can’t be verified. Weiss goes on to say: ‘We don’t have cyber forensics, so when they see (issues) they don’t think it’s a cyber problem’. But the FBI has ‘cyber forensics’, they investigated, and said they couldn’t find evidence.
Someone going by the name Pr0f claimed to have hacked into the second facility, and released screenshots to prove it. Nowhere, in his PasteBin entries or several interviews with him, does he indicate any inside knowledge of the systems, although his second PasteBin entry is dead right on several things, especially this:
”Cyberwar’ is unlikely to happen, in my opinion. I’ve met enough .mil types to know that they’re pretty grounded in reality; blame spokespeople for the irritating craze of adding “cyber-” to everything. Even the concept of cyberwar is ridiculous; war is a meatspace occurence and simply couldn’t have a digital equivalent.’
What does the US government make of all this? For a start, the Illinois and Texas local authorities haven’t published anything on their sites, and seem quite unaware of the incident. The ICS-CERT/FBI issued a joint statement denying there was any evidence of an attack. What I find interesting is that people actually believed Weiss and Pr0f more than the government.
I looked a little bit deeper, and did a quick search for Curran-Gardner Township Water District, which was named by Wired.com. The results showed the company was making patches and modifications to its system for several years now, and encountered a few problems along the way. I’d say it’s more likely something just broke. The spokesman for that company told a local paper: ‘Whether the burnout of that pump was related to this what might or might not have been a hacking, we don’t know’.