Crossroads Blog | Institute National Security and Counterterrorism

cyber attack

SCADA, Water Utilities, and Critical Infrastructure

You're going to be hearing a lot more about SCADA (Supervisory Control and Data Acquisition) systems in the coming months. Again, these are the computer systems that control critical infrastructure (water, electric, chemical plants, natural gas, railroad lines, and even nuclear power).

This past week, there were supposedly two attacks on US water utilities: one that came from a Russian IP address, and one from a disgruntled hacker that "required almost no skill and could be reproduced by a two-year-old with a basic knowledge."  Now, it's important to realize that these two attacks have yet to be confirmed.  I wait with baited breath to see the results of the pending DHS/FBI investigation into the attack on the Springfield water utility.  That attack allegedly came from a Russian IP address…

 

General-Jack-Ripper--Sterling-Hayden-in-Dr-Strangelove"And was designed to sap our precious bodily fluids!"

 

However, even if these were not real cyberattacks, the vulnerabilities that exist in SCADA systems are real.  And even if these were not real cyberattacks, it may only be a matter of time before real cyberattacks exploit those vulnerabilities. 

On November 20th, 2011, Tom Bradley wrote for PCWorld on the vulnerabilities of SCADA systems.  The article quoted Dave Marcus, Director of Security Research for McAfee Labs, as saying there are two main questions regarding SCADA systems: “How easy is it to attack SCADA networks?” and, “Are we going to see more of these types of attacks?”  As for the first question, the article notes that you can attack any system with "enough time and dedication to develop a successful attack."  As for the second question, Marcus thinks that attackers will continue to target SCADA networks because SCADA networks are "low-hanging fruit", or systems that "take the least effort to compromise while yielding the most impact possible."  Marcus went on to say that SCADA networks lack perimeter defenses, and more disturbingly, SCADA networks "don’t have the tools or capabilities to detect cyber intrusions." 

On November 21, Fahimda Rashid also wrote for EWeek.com on SCADA systems.  Rashid writes that utility companies are "running outdated software or using applications known to be insecure."  Specifically, cybersecurity expert Brian Krebs noted that the Springfield water utility (the same one that was supposedly hacked) was running a Web-based administration tool called phpMyAdmin.  Well, the article notes that phpMyAdmin has over 100 security vulnerabilities and "it is becoming a common practice to connect sensitive critical infrastructure to the Internet and use off-the-shelf software to manage them for convenience and to keep costs low . . . this is bordering on criminally negligent when you are responsible for our water, power, gas and other sensitive utilities."  

Finally, on November 22, Jaikumar Vijayan wrote for ComputerWorld on the four lessons that these attacks have taught us.  These lessons are:

  1. Information sharing is critical

  2. SCADA systems are easy to hack

  3. More people will attempt to break into SCADA systems

  4. Fixing SCADA systems is hard

***

Picture source: Dr. Strangelove or: How I Learned To Stop Worrying And Love The Bomb, Columbia Pictures Co.

Leave a Reply

Bitnami