Why a hack at a water plant has people very worried

A security guard is seen at his darkened workstation.

"pr0f" is the name used by a hacker who is claiming responsibility for a recent break-in to the computer systems of a water plant near Houston. No damage was done in the attack but pr0f posted pictures online detailing exactly what kind of security he was up against. He says it wasn't very hard at all, barely a hack at all. He says he did what he did to draw attention to how lousy security was at these types of facilities.

This was in response to another recent attack in Illinois. It was originally reported that hackers of unknown origin and with unknown motivation broke into a water facility's computer network and were able to disable a switch causing a pump to shut down. Officials now say there's no evidence that this was a hack from the outside.

At the time, officials said such a hack would be no big deal -- pumps fail all the time, you just replace them. But pr0f and many security experts say security on these systems is flawed at best.

The controls at these plants are known as SCADA systems. They were built for stand-alone machines, computers not hooked up to any real network. But Paul Roberts, editor of the Threatpost Blog at Kaspersky Lab, says "over the last 20 years, the Internet has really expanded and so now these SCADA systems are attached to networks, whether they're municipal or corporate networks, that themselves are attached to the Internet."

Once you're on the Internet, you're vulnerable. Which is a problem if your gear isn't built to deal with online threats. "Many of these SCADA software manufacturers," says Roberts, "are basically responding to these reports of breaches and vulnerabilities by saying this is how the software was designed. We never designed it to stand up to internet-based attacks. We never designed it to be exposed in the way it's being exposed and so, in essence, we can't do anything about it except completely rewrite the product."

Now that someone has broken into the Illinois plant and someone else broke into the Houston plant, Roberts says you'd better believe that this will happen again because those systems aren't being replaced any time soon. "It's almost like there's no bottom to this problem," he says. "Because so many of these systems are legacy systems that have been running for years, they aren't frequently patched because often utilities and water districts are primarily concerned about making sure their service is available that their pumps continue to operate without disruption. I mean, that's their primary responsibility, so taking a system offline to patch it or to do a security audit of it is a big deal."

Former Homeland Security Assistant Policy Director Stewart Baker says a damaged water plant could lead to major problems. "If you sabotage it effectively enough," says Brand, "it means the city won't have water. If there are no pumps, then the water is going to run out pretty fast. And if you can sabotage one water pump, you can probably sabotage all of them. So the worry would be -- particularly in the context of a state-sponsored attack -- it could be tied to a variety of other attacks on industrial control systems. So at the same time you lose water, you lose power, pipelines and refineries. At that point, if all of that is taken offline for two weeks, things get very bad in the affected area."

Also in today's program, on a decidedly cheerier note, a new study from Facebook says the average user on the site is only 4.74 friends away from any other user. Which means we're all practically best friends with Kevin Bacon. Kinda.

About the author

John Moe is the host of Marketplace Tech Report, where he provides an insightful overview of the latest tech news.

Comments

I agree to American Public Media's Terms and Conditions.
With Generous Support From...