Last week I wrote a story on the compromise of an industrial control system in Illinois that destroyed a pump at a water processing facility. The same day a hacker came forward and posted internal information on pastebin.com from another compromised utility in South Houston, Texas.
Within hours of publication I was contacted by the hacker involved in the Texas incident and I was able to ask him a few questions via email about the state of critical infrastructure security.
In his original message to Naked Security he noted that he was able to access the systems at the South Houston facilities through two methods.
First he was able to connect to a variant of VNC that is accessible from the internet to capture the screenshots he posted. He also was able to access a web administration portal, which he claims he can still access.
He also commented “Don’t worry, I use my powers for good and such.” We can only hope that is true. He understands that his exploits are a crime and insists he is simply trying to draw attention to this problem.
Chester: It appears that many attacks against SCADA systems are opportunistic, ie. they target systems that are “wide open” rather than targeting specific facilities. Have you explored the security of specific systems, or have you simply been able to find the least secure systems?
pr0f: I have entered a couple of different kinds of systems, but I am under no illusions about my level of skill. These are the least secure systems.
Chester: You disclosed your attack on South Houston quick on the heels of the story about the water system attack in Illinois. Was this coincidental and what was the point in you disclosing your attack?
pr0f: It was deliberate. I was furious at the lack of proper government response. The response they gave was nothing more than “Nothing happened. Probably.” When clearly something did happen.
Chester: In your experience, where does the responsibility lie in these systems being configured so insecurely? With the system manufacturers, integrators, operators or a combination of all of them?
pr0f: Frankly, I think the operators are probably least at fault. They’re trained to operate these machines; they’re engineers, not netsec experts.
The manufacturers should have been working to the highest standards from the start, since these systems are difficult to update. And the integrators, people who are contracted to install them, should make sure they are actually as secure as possible, too.
Chester: Accessing the system you posted information about to pastebin is a crime in the United States. What changes could be made to the Computer Fraud and Abuse Act to encourage responsible disclosure of security flaws and unprotected systems?
pr0f: I really think that it should be a matter of intent and actual damage caused. Shutting one of these down is obviously a crime. Finding one and accessing it out of curiosity, then exposing how insecure it is responsibly, should perhaps be treated a lot more leniently (of course, I am a little biased here).
In no way does Naked Security endorse pr0f’s methods, but he does raise some interesting points.
Unlike many of the data disclosures by the likes of Anonymous, he has not disclosed your personal details, but rather drawn attention to a rather serious problem many have had their heads in the sand over.
He acknowledges as much and stated “I’m aware I’m screwed when I get caught, if you’ll excuse my language.”
Like many security problems improvement in the safety of these systems will require manufacturers, consultants and operators to work together. Let us hope these two incidents are causing everyone involved to take a closer look at their own systems.