Poor Passwords, Weak Software Leave Infrastructure Vulnerable to Cyber-Attacks
Security professionals have been sounding the alarm about protecting critical infrastructure from cyber-attackers for a while, and recent incidents show that attacks are very likely.
Shortly after reports emerged of cyber-attackers breaching a city water utility network in Springfield, Ill., and damaging a water pump, another hacker, going by the name "pr0f" targeted a city water utility in South Houston, Texas, to show how easy it was to compromise the industrial-control systems at these facilities. He posted screenshots purported to be taken after breaching the system, but there is no definitive way to look at the images and ascertain whether they are legitimate, Andre Eaddy, director of cyber-security portfolio services at Unisys, told eWEEK.
However, even without additional details on what happened in the attack at the Illinois facility or the South Houston plant, attacks against critical infrastructure need to be taken seriously, Eaddy said.
"Without a question, this was not an isolated event. There will be other events to follow," Eaddy said.
There was no harm done to the sewer system, and the supervisory control and data acquisition (SCADA) system has been taken offline, South Houston Mayor Joe Soto told the Houston Chronicle. Pr0f claimed to have steered clear of causing any damage, calling such vandalism "stupid and silly."
Pr0f also blamed the utility for connecting SCADA systems to the Internet. In subsequent interviews with Threatpost, pr0f claimed the facility was running Siemens Simatic human-machine interface software that was accessible from the Internet and was protected with a password only three characters long.
"I wouldn't even call this a hack, either, just to say. This required almost no skill and could be reproduced by a two-year old with a basic knowledge of Simatic," he wrote in a post on Pastebin, a text-sharing site.
Hooking up SCADA systems to the Internet is not a security "best practice," Eaddy said, but there are a number of reasons a business might decide to do so, such as the convenience of being able to remotely monitor and manage the facility. Whether the business reason is worth the risk, depends on the organization's tolerance level, he said.
Utility companies have the responsibility to ensure their systems are reasonably secure and not to engage in "sub-par, risky practices," such as running outdated software or using applications known to be insecure, according Eaddy. Hackers aren't necessarily crafting exotic exploits or customizing new attacks, as they can target known vulnerabilities in programs that haven't been fixed, he said. These aren't zero-day bugs, but rather issues that people have known about for a long time, according to Eaddy.
"I dislike, immensely, how the DHS tends to downplay" the weaknesses of the national infrastructure, the hacker wrote on Pastebin, claiming that the South Houston breach was spurred in part to show that the Springfield attack was not an unusual incident.
According to a security writer Brian Krebs, who had access to portions of the report issued by the Illinois Statewide Terrorism and Intelligence Center about the attack in Springfield, the water utility was running a copy of phpMyAdmin, a popular Web-based database administration tool.