US SCADA infrastructure woefully unprotected

Filed Under: Featured, Malware, Vulnerability

Creative Commons photo of water tower courtesy of christinejwarner's Flickr photostreamIt has been reported that a SCADA systems failure at a municipal water processing plant may have been caused by hackers infiltrating their network.

The attackers were repeatedly turning a pump on and off until it caused the pump to fail, raising an alert to the operators.

Upon investigation they determined that attackers may have infiltrated the system starting in September 2011, although the attack wasn't discovered until November 8th, 2011.

The notice about the attack noted that it was similar to an attack against the Massachusetts Institute of Technology earlier this year which exploited bugs in the open source software phpMyAdmin.

Reading about this my spidey-sense was tingling... What? They have SCADA control systems hooked up to the public internet? And they are running phpMyAdmin!?!?

I run a reasonably low profile, small website for myself and some friends and at one point had installed phpMyAdmin to assist them with daily SQL management chores.

I removed it four years ago after a never ending stream of severe vulnerabilities made it too risky for my *play* site.

According the the National Vulnerability Database phpMyAdmin has at least 105 reported security vulnerabilities.

It would appear it is common practice these days to connect these sensitive critical infrastructure systems to the public internet and use COTS (Common Off The Shelf) software to manage them.

Convenience and price are always desirable to those responsible for managing these systems, but this is bordering on criminally negligent when you are responsible for our water, power, gas and other sensitive utilities.

The Department of Homeland Security needs to do a top-down audit of these systems and mandate that these insecure practices come to an end.

Within hours of the news breaking on this story a hacker known as pr0f posted images of internal SCADA control systems from the City of South Houston, Nevada.

City of South Houston SCADA system

He insists he hasn't interfered with their operations and is just releasing the information to draw attention to the problem.

Of course that doesn't change the fact that accessing these systems is still a criminal act under the Computer Fraud and Abuse Act.

We may already be at a crisis point with regards to our infrastructure security, but perhaps these stories will be a wake up call for those managing similar systems around the world.

Creative Commons photo of a water tower courtesy of christinejwarner's Flickr photostream.

, , , , , ,

You might like

8 Responses to US SCADA infrastructure woefully unprotected

  1. Brian · 1013 days ago

    These systems should not be on a publicly accessible network and that is all there is to it. If these idiots keep leaving networks exposed then it is obvious what the outcome will be and phpMyAdmin? Why in the world would that be left on such a server to begin with and then why was it made publicly available? It is one thing to use this software but to leave it exposed is entirely on them. This is why you should hire experience over college degrees.

    • Narwhal · 1009 days ago

      Brian, I couldn't agree more with your comments. We need a Scada system on a very sensitive technology, strictly for communication and alarms from different parts of the world. It has not been implemented as yet as our proposed service provider has not been able to convince me of their security capabilities. Hackers are one thing but smart terrorists are another concerning our sensitive infrastructure. For other security reasons we have not even established a website. Call me old fashioned, but at 66 that is exactly what I am.

  2. Elle Woods · 1012 days ago

    Mr. Wisniewski:

    Excellent post. I suspect (and would hope) that you are sensing more than spidey tingling at this point; but the actual morbidly systemic venom as well.

    While audits are critical to any security system; they can be inherently flawed and subject to corruption when the underlying institutions often fund the audits themselves. The Digital Certificate and the US bond rating system should teach us something about how such practices are in desperate need of reform.

    Moreover, I can't wait to hear which underage or homeless lone hacker takes the fall for this one (yawn). A refreshing deterrent would be a high-profile take down of some of the big money interests really behind these sophisticated hacking programs. But wait, then who is the Department of Homeland Security going to use? The odds do not favor some internal employee possessing the skill and intelligence required to thwart today's rocket science cyber-threats, yet nobly toiling away for $65,000/year.

    I know this is a cynical comment. Lest you perceive me as as a sideline spectator all too happy to whine about incredibly complex global issues, whether ethical, practical, political etc. without even attempting to help.; I have begun applying for an intelligence analyst position in the FBI. That's how I know how little they make relative to what the job entails in the current environment.

  3. Mike H. · 1011 days ago

    Timely story. I don't know why these events don't happen more often. The National Transportation Safety Board (NTSB) Pipeline Accident Report for the June 1999 Olympic Pipeline accident found several shocking problems with the SCADA system there:

    1. The 2 VAX computers for the SCADA system were linked to a dial up modem.

    2. Many User accounts for the VAX computers were Super Users, even if they had no need to access many areas of the system.

    3. They had no firewalls on the system.

    4. One of the VAX computers was for hot standby, and the other was to be controlling the pipeline. The Pipeline Controllers were testing software upgrades on the backup computer, but the system was set up that software changes in one VAX are reflected in the other VAX! There was a software bug that caused both computers to slow & eventually hang.

    While there's no law to prevent pipeline operators from working on the software of a live SCADA system, the NTSB seemed irked about that practice.

    A balky automatic valve on this pipeline closed while the SCADA was bogging down, causing a spike in pressure that Controllers didn't notice. The result was 240,000 gallons of gasoline spilling into a suburban creek, that later ignited, killing 3 young men.

    The full report is here:
    http://www.ntsb.gov/doclib/reports/2002/PAR0202.p...

    The El Paso Natural Gas (EPNG) Pipeline failure in New Mexico in 2000 raised some more issues of concern to SCADA. NTSB investigators found that compressors downstream of the rupture there cut power upon low suction (intake) pressure, and a UPS comes on for pump cooling water there. Yet, there was no UPS for the modem sending data to EPNG's SCADA. So, loose power, loose communication. While fixing that oversight would not have prevented that accident, it could be a factor in future pipeline accidents.

  4. pr0f · 1011 days ago

    @Elle:
    Hello. I'm actually not underage, and not even homeless, but thanks for your vaguely conspiratorial post that implies possible support for my actions as long as I'm not working for a Government Black Ops Group (which I'm not. I'm barely qualified to work at Walmart, though that still leaves open the possibility of the civil service in some places, I guess). I do agree with you about the internal audits, they are a bad idea. But part of the problem is these things were installed 10 years ago by some company the work was outsourced to, and no one has actually had to think about doing anything with them, apart from minor trouble shooting since.
    @Mike H:
    To be fair to them, VAX systems are notoriously secure compared to other operating systems, like Windows and *nix, which have a wonderful habit of being equipped, for some reason, with third-party packages coded by a thousand monkeys typing on a thousand type-writers. Cough sendmail. Cough BIND. Cough Adobe flash.
    Also, navigating DCL, while fun, is a bit like being a rat in a maze if you have no prior experience.
    But, joking aside, I haven't got much experience with SCADA. I'm just some guy who thought he'd read a few books and go see what he could find online. It seems like the culture among control system designers is "eh. It'll do." That, in my opinion, is really, really wrong, and really, really terrifying.
    And frankly, to comment on "Of course that doesn't change the fact that accessing these systems is still a criminal act under the Computer Fraud and Abuse Act," I think trying to solve these problems would be worth my freedom.
    -pr0f

    • Nigel · 1008 days ago

      "I think trying to solve these problems would be worth my freedom."

      Really? Ever been in jail? You might not be so sanguine about it when that reality smacks you in the face.

      It doesn't appear that you've thought this thing through very carefully. Anyhow, good luck. You're going to need it.

  5. Mike H. · 1010 days ago

    @pr0f:
    Yes, VAX is somewhat better for security than Windows or *nix OS's, but having a dial up modem on a petroleum pipeline system is unnerving to some of us. Yes, Off The Shelf (OTS) software should be notorious for also being virus, worm, malware, etc. ready out of the box. I'm scared that a number of life safety critical systems STILL use OTS software, because the corporate bean counters said it was cheaper.

    Some companies with critical SCADA still need to get a clue that if you live by SCADA, you can die by SCADA, so at least have a UPS:
    http://thedailywtf.com/Comments/A_UPS_Should_Be_F...

    I think trying to solve these problems would be worth my freedom.

    You point up the down side of custom software. A real custom OS/language genius can install a Trojan that stops the system, but only they know how to fix the problem, for "ransom".

  6. Slipkid · 1010 days ago

    I don't understand why these systems are connected to the internet in the first place. I think the people who decided to do this should be up on charges before any one. I understand wanting, or needing to have access to them while offsite, but there are ways around that without the use of a modem or connecting it to the internet directly.

    I also think that Siemens telling these people to NOT change the default passwords is Ludicrous. The fact that they don't know if this will affect the internal code connections is just plain stupidity on their part. I think that anyone using this companies system better think twice moving forward, and that this should also be a criminal investigation with a higher priority on it than looking for the person who exposed the problem.

    Personally I would like to look into hacking into systems of this nature from a "Homeland Security" point of view. I think all of our infrastructure systems should be looked into by an independent committee of sorts to make sure that they are as secure as they possibly could be.

    IMHO of course.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.