Can our Power Supply / Other Utility Systems be hacked?

Federal authorities are investigating a hack that resulted in the burnout of a water pump at the Curran-Gardner Township Public Water District in Illinois.

 

A hacker apparently exploited a supervisory control and data acquisition (SCADA) system that managed the water pump and set the pump to continually turn on and off. Only after the pump failed, earlier this month, did plant operators discover that their systems had been exploited, apparently in September. The attack appeared to have been launched from a server based in Russia.

According to news reports, Illinois officials discovered that the attacker had exploited an instance of phpMyAdmin running at the facility. The open source tool, according to its Sourceforge project notes, is “intended to handle the administration of MySQL over the Web.” But why was a water treatment facility using phpMyAdmin, which has over 100 known vulnerabilities?

 

The Illinois water hack has already inspired another, more recent exploit, this one against a water treatment facility in South Houston, Texas. The hacker who took credit for the intrusion, who goes by the handle “pr0f,” released screenshots of the exploited programmable logic controller (PLC). But he told Threatpost that the Siemens Simatic human machine interface (HMI) software that he exploited was Internet-connected, and protected with only a three-character password.

 

Typically SCADA – standing for “Supervisory Control and Data Acquisition” – systems are used to monitor and control industrial systems and are typically found in large industries like Oil & Gas, Air Traffic, Railways, Power Generation and Transmission, Water Management, etc. and also in nuclear plants.

 

Typically, SCADA systems consist of two operating systems. The first uses Windows or Unix for the operator console. The second operating system is the actual control processor, which receives and sorts data, responds to commands, and the like. The controllers on this system were originally designed to operate in isolation and usually have rudimentary password control.

 

Process control and SCADA systems, with their reliance on proprietary networks and hardware, had long been considered immune to the network attacks that have wreaked so much havoc on corporate information systems. However, the move to open standards such as Ethernet, Transmission Control Protocol/Internet Protocol (TCP/IP), and Web technologies is allowing hackers to take advantage of the control industry’s unawareness.

 

Insecure SCADA systems could mean catastrophic damages like massive power blackouts, oil refinery explosions, sewage water mixed in drinking water supply and so on.

 

There have been many cases of insecure SCADA systems being exploited. Some instances are:

 

(a) Between July 8th and August 31st, 1994, Lane Jarrett Davis gained unauthorized access to the Salt River Project (SRP) computer network via a dialup modem so he could have access to billing information. He installed a back door into the system giving him access at a later time. At the time, SRP’s water SCADA system operated a 131-mile canal system, which was used to deliver water to customers in the Phoenix metropolitan area. Mr. Davis had at least one 5-hour session on mission critical systems which controlled the canals. Data vulnerable during the intrusions included water and power monitoring and delivery, financial, and customer and personal information. Data taken and/or altered included login and password files, computer system log files, and “root” privileges. Furthermore, a Doppler-radar research project between the SRP and National Weather Service’s National Severe Storms Lab was also accessed. SRP estimated losses at $40,000, not including lost productivity due to the compromise.

 

(b) In March 2000, a former consultant to waste water plant in Maroochy Shire, Queensland, Australia, accessed the control system of the plant and released up to 1 million liters of sewage into the surrounding waterways.

 

(c) In September 2001, computers at the Port of Houston in Texas were hit by a Denial of Service attack. This crashed systems at the port that contained data for helping ships navigate the harbor.

 

(d) In January 2003, the “Slammer” worm disabled the computerized safety monitoring system at the Davis-Besse nuclear power plant in Ohio, which was shut down for repair at that time. The responsible managers considered the plant “secure,” as its outside network connection was protected by a firewall. The worm entered the plant network via a contractor’s infected computer that was connected via telephone dial-up directly to the plant network, thus bypassing the firewall.

 

(e) In August 2003, a worm infected the communication system of the U.S. railway company CSX Transportation. The dispatching and signaling systems were affected across 23 states and all passenger and freight traffic, including morning commuter traffic in the Washington, D.C. area, had to be stopped for about 12 hours.

 

(f) In August 2005, internet worms infect DaimlerChrysler’s 13 automobile manufacturing plants and production had to be halted for one hour till all the Windows systems were patched.

 

(g) In January 2008, a Polish teenager modified a TV remote control so that it could be used to trip rail switches and redirect trains. Four trains were derailed and twelve people were injured.

 

(h) In March 2008, the Hatch nuclear power plant in Georgia was forced into an emergency shutdown for 48 hours after a software update was installed on a single computer. An engineer installed a software update on a computer operating on the plant’s business network. When the updated computer rebooted, it reset the data on the control system, causing safety systems to errantly interpret the lack of data as a drop in the coolant water reservoirs, thus triggering a shutdown. It took 48 hours for the plant operations to recover.

 

(i) In January 2009, Texas Road signs were compromised and changed to display “Zombies Ahead”. It was found that the instrument panels of these road signs are frequently left unlocked and their default passwords are never changed.

 

(j) In February 2009, Italian authorities charged an engineer of conspiring with local authorities to rig traffic lights to have shorter yellow light causing spike in camera enforced traffic tickets.

 

During a risk assessment survey conducted by the US Government on SCADA systems at its critical installations, the following weaknesses were observed:

 

(a) Default vendor accounts and passwords still in use. Alarmingly, on some systems there was no provision to change the default password or to disable the vendor account.
(b) Guest accounts still available
(c) Unused software and services still on systems
(d) Poor patch management
(e) Extensive auto-logon capability
(f) Little emphasis on reviewing security logs / change management logs
(g) Shared passwords
(h) Direct VPN from offsite to control systems
(i) Web enabled field devices

 

The United States Computer Emergency Readiness Team (US-CERT) has a separate section on “Control Systems” and have released many publications including “Strategy for Securing Control Systems”, “Recommended Practices”, “Framework for SCADA Security Policy”, etc.

 

India’s public utility systems need to ensure that basic protection is in place against such security incidents.