US Water System Hacked: A Community-Wide Issue

Friday, November 18, 2011

Robert M. Lee


On November 17th Joe Weiss, a well-known member of the Industrial Control System (ICS) community, posted on his blog about a recent US water system hack

Joe points out that the disclosure concerning the Nov 8th supervisory control and data acquisition (SCADA) hack was made by Illinois Statewide Terrorism and Intelligence Center on Nov 10th.  

Joe's post stated that the SCADA software vendor was compromised and that customer usernames and passwords were stolen as well as possible physical damage to the utility.  He further states that the IP address of the attacker traced back to Russia, which does not provide any attribution but is nevertheless interesting.  

Information is still coming out on this event and the DHS has stated that they and FBI are still gathering information but believe none of the information so far indicates a risk to critical infrastructure.  However, the concerns this incident raises are valid regardless.

Speaking from a security standpoint, Joe states that a number of actions should be taken including better information sharing with industry, control system cyber security training and policies, and control system forensics.  

Joe is probably one of the most experienced and outspoken individuals in cyber security for control systems.  When such an expert raises concerns about their own industry it is important to attempt to understand the reason for their concern. I would like to expound upon the actions that should be taken as well as provide my personal opinion on what the compromise means for the ICS and cyber community. 

The compromise of a US water facility should be concerning for a number of reasons.  Firstly, the idea of anyone or any group (nation state or not) breaking into SCADA and control systems in the US highlights a weakness in our nation's infrastructure. 

What is hard to discern though is how many attacks are prevented on a daily basis by the men and women taking up the very difficult challenge of cyber defense.  Regardless though, this is a fight that must continue to get support and attention in the cyber community. 

Secondly, a water facility has a direct impact over the health of the citizens that it provides.  A compromise of such a facility, depending on the scale of the compromise, could reasonably lead to the loss of life.  This is to say that the concern for security of the ICS and SCADA community is not and cannot simply be financial. 

Lastly, at the 11th ACS Control Systems and Cyber Security conference and this year's Hacker Halted conference I spoke of the intelligence gathering benefits for a hacker to go after the "low hanging fruit" by targeting smaller and lightly protected ICS/SCADA systems. 

This enables the hacker to gain information such as usernames, passwords, design documents, and network layout information to leverage an attack against larger facilities. 

The reported attack against this water SCADA system, although it is in no way possible to determine at this time, could be this style of attack.  This is important to think about in regards to what future attacks may hold, what the motives for the attacks are, and what attacks may currently be going unnoticed.

Even more concerning, if the damage the water facility's pumps experienced is related to the hack, which is reasonable to state but currently unverified, then comparisons between it and Stuxnet are instantly drawn.  Stuxnet was an advanced piece of malware whereas, at first look, the methods used to compromise the water utility were very basic. 

However, what did Stuxnet accomplish?  It was a piece of code that damaged physical components to a facility.  This is the same end result as the water utility compromise.  If the same end result is achieved and positive attribution is denied then it does not matter how advanced an attack is. 

The concerns this raises for the ICS/SCADA community and everyone who uses them, i.e. all of us, are huge.  This is literally becoming a matter of life and death and warrants the proper attention and respect.

I reiterate that more information on the report is needed although it does not change the conclusion.  The report of the attack itself highlights that ICS/SCADA systems are continually targeted by hackers. 

All speculation aside, the fact that our ICS/SCADA systems are being targeted should be concerning to the cyber community as a whole.  I've had the privilege of meeting with members from the ICS-CERT, DHS, ICS community, and military community who are very intelligent, experienced, and passionate about cyber security for control systems. 

However, it should not fall on them alone to protect our national infrastructure.  There must be more community involvement in the form of pushing legislation, a desire for training, regulations that are able to support national defense, and community sharing to tackle these issues. 

Furthermore, Joe's point on establishing proper cyber forensics for control systems is one of the most important aspects of security.  Expecting to prevent all compromises especially concerning lucrative targets such as ICS and SCADA systems is not reasonable. 

However, detecting an attack, what all was accessed during the compromise, and working towards positively attributing the compromise to the attacker is the most effective way of establishing a deterrent to protect these systems and human lives.

In cyberspace the best line of defense is the front line.  Once an attacker makes it past the initial barriers to entry it becomes easier through information gathering and network enumeration to compromise a system. 

These front lines, including smaller control systems, must be protected as seriously as the larger systems.  It is up to all of us to drive discussions and changes that can protect them.


Robert M. Lee is a Cyberspace Officer in the United States Air Force; however this post and his views do not represent the US Air Force, Department of Defense, or US Government. The opinions held in this post are his alone and this post was written outside of a military capacity. 

Possibly Related Articles:
SCADA Attacks Stuxnet DHS National Security hackers ICS Industrial Control Systems Water Control Systems
Post Rating I Like this!
Joel Langill The timing could not be more perfect, as when this news broke yesterday, I was teaching my course on SCADA Security for InfoSec Institute covering the very important module that discusses how one of the most important security controls that can be implemented on these vulnerable ICS systems is one that "detects" attacks, rather than focusing entirely on "protecting" from such attacks!

This breach did not do anything anyone that knows ICS security has been saying all along ... first perform a blended attack where you gain intelligence through a targets supply chain, and then leverage this information to penetrate the target.

What is most disturbing is the fact that there obviously was not any form of multi-factor authentication used on the remote access infrastructure, as any DiD strategy would dictate additional controls in case a password is compromised! This leads me to want to focus more on the Integrator responsible for implementing the overall infrastructure, and less on the irresponsibility of the vendor for their information leakage.

Until DHS/ICS-CERT and the community in general realizes that security is EQUALLY shared between End-User + Vendor + Integrator will we start to really address the security posture of these types of installations.
Joel Langill If you are interested in reading more about my approach to granting remote access to trusted ICS networks, download a presentation I gave at last year's ICSJWG ( and another on the importance of security during project execution (
Robert M. Lee Joel I appreciate the comment. I agree with you that everyone in the ICS security community have been talking about this for a long time. It has started to become such a public issue that hopefully more positive things will be done in the community and leaked over to other communities as this really is an issue that impacts all of us.

I viewed your presentations and they are really good, thank you for sharing. I think you make some great points. What you are doing with your website as well as being an instructor is incredibly important (especially with regards to teaching on detection). Keep it up!

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked