Hacker Apparently Triggers Illinois Water Pump Burnout

  /     /     /  
Publicated : 22/11/2024   Category : security


Hacker Apparently Triggers Illinois Water Pump Burnout


Attack illustrates the extent to which industrial control systems are Internet-connected, yet lack basic password checks or access controls.



Federal authorities are investigating a hack that resulted in the burnout of a water pump at the Curran-Gardner Township Public Water District in Illinois. Located west of Springfield, Ill., the utility serves about 2,200 customers.
A hacker apparently exploited a supervisory control and data acquisition (SCADA) system that managed the water pump and set the pump to continually turn on and off. Only after the pump failed, earlier this month, did plant operators discover that their systems had been exploited, apparently in September. The attack appeared to have been launched from a server based in Russia.
Federal authorities said theyre investigating the attack, but offered no specifics about the exploit. DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield, Illinois, Department of Homeland Security spokesman Peter Boogaard said in a statement. At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.
[ Get the scoop on industrial control system threat Duqu. Read
7 Facts On Duqu Malware Attacks
. ]
According to
news reports
, Illinois officials discovered that the attacker had exploited an instance of phpMyAdmin running at the facility. The open source tool, according to its
Sourceforge project notes
, is intended to handle the administration of MySQL over the Web.
But why was a water treatment facility using phpMyAdmin, which has
over 100 known vulnerabilities
? I run a reasonably low-profile, small website for myself and some friends and at one point had installed phpMyAdmin to assist them with daily SQL management chores, said Chester Wisniewski, a senior security advisor at Sophos Canada, in a
blog post
. I removed it four years ago after a never-ending stream of severe vulnerabilities made it too risky for my
play
site.
Convenience and price are always desirable to those responsible for managing these systems, but this is bordering on criminally negligent when you are responsible for our water, power, gas, and other sensitive utilities, he said.
According to
industrial control system security
expert Joe Weiss, managing partner at Applied Control Solutions, the Illinois SCADA hack has also exposed fundamental critical infrastructure information-sharing problems. The system is broken, said Weiss on his
blog
. Notably, by Thursday--after news of the attack had spread--none of the water utilities I have spoken to were aware of it, he said. Thats because no information about the incident had been distributed via the industry-focused information sharing and analysis centers (ISACs), or by
fusion centers
meant to coordinate terrorism prevention and response efforts between federal agencies and local and state governments.
The disclosure was made by a state organization, but has not been disclosed by the Water ISAC, the DHS Daily unclassified report, the ICS-CERT [the DHS Industrial Control Systems Cyber Emergency Response Team], etc., said Weiss. He said that the government must do a much better job of coordinating and disclosing information about these types of attacks, and in a timely manner.
For helping to prevent future such attacks, hes also called for better control system cybersecurity training and policies, and urged control system users to put better processes and technology in place for supporting
digital forensics
.
The Illinois water hack has already inspired another, more recent exploit, this one against a water treatment facility in South Houston, Texas. The hacker who took credit for the intrusion, who goes by the handle pr0f, released screenshots of the exploited programmable logic controller (PLC). But he
told Threatpost
that the Siemens Simatic human machine interface (HMI) software that he exploited was Internet-connected, and protected with only a three-character password.
This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this, he said. Im sorry this aint a tale of advanced persistent threats and stuff, but frankly most compromises Ive seen have been have been a result of gross stupidity, not incredible technical skill on the part of the attacker. Sorry to disappoint.
Read our report on how to guard your systems from a SQL attack.
Download the report now
. (Free registration required.)

Last News

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Hacker Apparently Triggers Illinois Water Pump Burnout