As the world becomes increasingly digitized, IT security impacts more and more of our lives. Most ordinary citizens are unaware of how our important civic services- electricity, public transportation and water, not just telecommunications- are now dependent on computing and networking technologies.

Many industrial utilities are operated with SCADA, supervisory control and data acquisition, which implement industrial control systems, ICS. Surprisingly, the water control SCADA in South Houston, Texas, has been operating at least partially on the Internet, not in a closed network. Water systems include filtering out contaminants, and adding important chemicals, including fluoride and chlorine, in just the right quantities. Allowing too many contaminants into the public water supply, or adding too much or too little fluoride or chlorine could possibly make millions of people sick, or even dead. Malicious crackers from anywhere in the world could access South Houston’s water SCADA with the right equipment and know-how, and now an intrusion has actually been confirmed.

A government report came out on November 10th, two days after the attack was detected. But, unexplained problems in the SCADA’s HMI (human-machine interface) were observed in the weeks beforehand.

 

From Dan Goodin’s report on The Register:

 “Over a period of two to three months, minor glitches had been observed in remote access to the water district’s SCADA system,” (Joe) Weiss (a managing partner for Applied Control Solutions) said during an interview, in which he read a verbatim portion of the document to The Register. He said that the attackers were able to burn out one of the utility’s pumps by causing either the pump or the SCADA system that controlled it to turn on and off repeatedly”

A cracker who goes by the handle ‘pr0f‘, claims some responsibility for the attacks. He came to my attention via his post on pastebin.

 

From the post:

“I’m not going to expose the details of the box. No damage was done to any of the machinery; I don’t really like mindless vandalism. It’s stupid and silly.

On the other hand, so is connecting interfaces to your SCADA machinery to the Internet. I wouldn’t even call this a hack, either, just to say. This required almost no skill and could be reproduced by a two year old with a basic knowledge of Simatic.”

I interviewed pr0f by e-mail. He was glad to share his thoughts with me.

 

How did you learn about the SCADA system and how it operates?

I mostly learned about SCADA systems by reading books and articles published on the topic and manuals that had been published/leaked online. It took a while, but all of the information required to understand the basic operation of industrial control systems is out there, online.

 

How did you learn about the hack?

The hack itself wasn’t an especially advanced kind of attack; having a basic familiarity with how these systems operate would give one an idea of their strengths and weaknesses in terms of security.

 

Is it necessary for the SCADA system to be linked to the Internet? What are the possible alternatives?

I do not personally believe that these systems need to be connected to the internet, no. That makes them so vulnerable. If they have to be controlled remotely, the only access should be through a VPN with multi-factor authentication.

 

Which particular vulnerabilities and attack vectors are you most concerned about?

The attacks that worry me most are those that can be carried out with absolutely no knowledge of the target system; leaving Windows XP boxes attached to the internet running SCADA or ICS software while they’re running a vulnerable service that anyone could attack with a public exploit, for example. Stuxnet-style attacks using multiple unknown 0-day attacks are beyond the capabilities of most attackers, but attacking a system attached to the internet with no defenses is not.

 

If you were going to audit the security of the South Houston SCADA system, what would your specific recommendations be?

I would recommend them to use better password security (letters, symbols, numbers), and also to install some VPN software so that access to that system could have been kept only to people with proper authorization.

 

Want to learn more?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include:

  • Dual Certification - CEH and CPT
  • 5 days of Intensive Hands-On Labs
  • Expert Instruction
  • CTF exercises in the evening
  • Most up-to-date proprietary courseware available

What do you speculate is the cause (or one of the causes) of these systems to be so insecure? An incompetent IT department? An IT department which is unable to get financial and procedural/policy support from their corporation?

Honestly, I think the main reason they are so insecure is due to lack of funding. It is easier to have something accessible via the internet than have to set up a secure network or hire someone to monitor it 24/7. Although, lazy systems administrators certainly do not help the issue!

 

Thanks for your valuable input. Is there anything else you’d like to add, which may help with my article?

I would recommend them to use better password security (letters, symbols, numbers), and also to install some VPN software so that access to that system could have been kept only to people with proper authorization.

 

I empathize with your concern about explaining in detail how you carried out the attack, legalities and such. Please, please, is there anything pertinent you can share with me?

    Trust me, it’s not about protecting myself from anything, I’m not too worried about that, it’s a matter of waiting until a number of Simatic boxes have been pulled from the net and protected from attacks that require absolutely no inside knowledge of ICS protocols. For the sake of having a tale to tell, though, it is fairly safely altered and summarized as I used a scanner to detect services I knew the Simatic HMI ran. Upon detecting one, I was able to locate the default password using a simple google search, and then reading a couple of manuals on the net, I was able to figure out how to access the graphical interface, which used the default password.

There is slightly more to it than that, but it would be irresponsible for me to disclose anything else right now.

Okay, fair enough. Thanks for your cooperation.

It’s no problem. I’m genuinely sorry I couldn’t be of more assistance, but until one of the CERTs gets up and actually starts doing stuff, it would be incredibly irresponsible for me to reveal the existence of any issues that could allow someone with relatively little knowledge of control systems to hijack them with ease, especially given the current climate.

Diagrams from pr0f’s pastebin:

 


 


 


The HMI could be authenticated with a three character password. My jaw dropped… a three character password? There’s food for thought.

 

References:

 

  1. Hacker Says Texas Town Used Three Character Password To Secure Internet Facing SCADA System

  2. Paul Roberts, threatpost

http://threatpost.com/en_us/blogs/hacker-says-texas-town-used-three-digit-password-secure-internet-facing-scada-system-112011

  1. Water utility hackers destroy pump, expert says

Dan Goodin, The Register

 

http://www.theregister.co.uk/2011/11/17/water_utility_hacked/

 

The Grid; A Digital Frontier

Pr0f, pastebin

http://pastebin.com/Wx90LLum