4 lessons from the Springfield, Ill. SCADA cyberattack

The recent cyberattack on a public water utility in Springfield, Ill. has stoked considerable concerns about the vulnerability of U.S. critical infrastructure equipment.

The attack destroyed a pump at the facility when someone using a computer with an IP address based in Russia gained access to the Supervisory Control and Data Acquisition (SCADA) system controlling the pump.

Experts in the industrial control systems arena say that, while that attack was relatively inconsequential and not unsurprising given the vulnerabilities that exist, it may be a harbinger of things to come.

Here are four lessons from the incident, which is still under investigation:

Information sharing is critical

Though an initial report by the Illinois Statewide Terrorism and Intelligence Center called the incident a public water district cyber intrusion, the Department of Homeland Security (DHS) and other agencies that share information on such incidents have so far been relatively quiet about what happened. That led to speculation about the nature of the attack, how serious it was, and what the motives might have been. Some even question whether the pump could have failed in the manner reported in the incident report.

The water pump at the Springfield utility is supposed to have burned out after attackers used their access to the SCADA system to cycle the pump off and on continuously. Typically that should not have happened, said L.W. Brittian, a SCADA system consultant and training expert. "Rapid cycling of a large pump motor should not, by itself, have been enough to burn a pump motor up," Brittian said. While turning a pump motor on and off over and over can cause it to overheat. temperature and pressure control mechanisms built into it should have tripped, taking it safely offline.

"The SCADA system may have been accessible on the Internet, so someone could come in and get the pump to run and they could ask it to stop," Brittian said. "They could tell it to start and stop every three seconds until something happens," he said. But what they would not have been able to access over the Internet is the overload relay that is provided to protect the motor from overloading and burning up.

Even if hackers had accessed the operating controls, it's doubtful they could have also accessed the safety controls, he said. "We need more details of exactly what happened."

SCADA systems are easy to hack

A vast majority of the systems used to control critical equipment at places like power stations, nuclear power plants and water treatment facilities are inherently insecure. In many cases, anyone with logical access to an industrial control system or programmable logic controller can upload firmware on it without authentication. Passwords are often hardcoded into systems. And many systems have administrative backdoors and contain very basic buffer overflow errors.

Such vulnerabilities were acceptable for a long time because SCADA systems were not really connected to the outside world; An attacker usually needed physical access to a SCADA system to compromise it.

That's changed over the last few years. A growing number of SCADA systems are connected to the Internet, making them much more vulnerable to attack from external sources. Last week, a hacker named pr0f claimed he hacked into a SCADA system at a water utility in South Houston by overcoming a three-character password that was used to protect the system.

"The major thing about control system security that most people don't get is that there is none," said Ralph Langner, a German industrial control systems expert noted for his research on the Stuxnet worm last year. Stuxnet has been blamed for disrupting Iran's uranium enrichment efforts by causing SCADA problems. More recently, Iran said it had been affected by the Duqu trojan, which also targets SCADA systems.

Duqu is seen as a precursor to the next Stuxnet.

More people will attempt to break into SCADA systems

Expect to see many more such attacks. After Stuxnet, the SCADA community has been living in a fishbowl of sorts, said Eric Byres CTO and founder of Byres Security, a provider of industrial control system security products and consulting services. People who didn't know how to spell SCADA are now finding all sorts of vulnerabilities in SCADA products. So far this year, there have been over 200 vulnerabilities discovered in ICS products from various vendors, compared to just over 10 that were discovered in all of 2010.

The SCADA community is "no longer living in a little bubble," Byres said. "Security by obscurity no longer works."

Fixing SCADA systems is hard

After Stuxnet, there has been a greater effort to find and fix vulnerabilities in SCADA systems. But most of the focus has been on addressing issues in the front-end -- mostly Windows-based Human Machine Interface (HMI) systems that are used to interact with SCADA systems. But vendors are paying far less attention to vulnerabilities in the embedded control systems themselves. The ISA Security Compliance Institute last year launched a program to test and certify industrial control system products for vulnerabilities. So far just two companies have had their products certified under the program.

Utilities also often lack the resources needed to bolster the security of their control systems. This is especially true in the case of smaller utilities such as the one that was attacked last week in Springfield. "Smaller utilities have a harder time securing their SCADA and DCS [Distributed Control System] because they don't have the IT staff or other resources to allocate to this," said Dale Peterson, CEO of Digital Bond, a consultancy that specializes in control system security.

"We have seen municipal utilities that have two people on the IT staff that are responsible for keeping everything running," from desktops and email systems to SCADA and distributed control systems, he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about DCSSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place