US SCADA Water System Breached, Damaged

Weak LinkThe Register reports that the SCADA system of a public water district in the US has been compromised.   The attackers caused a water pump and/or its control system to fail by rapidly turning the pump on and off repeatedly.  Few other details are known at this time.

The utility experienced intermittent computer problems for a number of months before the attack was identified.  It is believed that the SCADA software vendor was first compromised, system credentials were stolen, and then used in this attack.  The name of the SCADA software vendor has not been disclosed, and there are no reports of similar incidents elsewhere so far.

SCADA systems run critical infrastructure, like power, oil, natural gas, and water distribution, and like any software based systems, are not without their own vulnerabilities.  Since these networks are involved in the management of infrastructure devices critical to our modern daily lives, it is essential that access to these networks and systems be carefully controlled and monitored.

According to a blog entry by Joe Weiss on the ControlGlobal Community site, there are a number of very important issues in this disclosure:

  • The disclosure was made by a state organization, but not the Water ISAC, the DHS Daily unclassified report, the ICS-CERT, etc.  Consequently, none of the other water utilities appear to be aware of it.
  • It is believed the SCADA software vendor was hacked and customer usernames and passwords stolen.
  • The IP address of the attacker was traced back to Russia.
  • It is unknown if other water system SCADA users have been attacked.
  • Minor glitches were observed in remote access to the SCADA system for 2-3 months before it was identified as an attack.
  • There was damage – the SCADA system was powered on and off, burning out a water pump.

 There are a number of actions that should be taken because of this incident.

  • Provide better coordination and disclosure by the government.
  • Provide better information sharing with industry.
  • Provide control system cybersecurity training and policies.
  • Implement control system forensics.

SCADA stands for Supervisory Control And Data Acquisition.  These are the systems that monitor and control industrial, infrastructure, or facility-based processes.  There are three main elements to any SCADA system:

  • Remote Telemetry Units (RTU)
  • Communications Devices
  • Human Machine Interfaces (HMI).

Each RTU collects information at a site, while Communications Devices bring that information from the individual plant and regional RTU sites to a central location, and returns basic instructions to the RTUs.  The HMI displays this information in a simplified, graphical form, archives the data, transmits alarms, and permits limited operator control.  Communication within a plant will be by data cable, or fiber-optic cable, while regional systems most commonly utilize wireless radio.

These core components may be supported by Supervisory Modules that interface with the HMI to consolidate data and issue extended command sets, and Programmable Logic Controllers (PLCs), usually cheap commodity PC’s acting as specialized field devices, as they are more economical, versatile, flexible, and configurable than purpose-built RTUs.  I’ve seen PLC’s running Windows 95, or even DOS, in a manufacturing environment as recently as 2 years ago because they are cheap and easy to replace.