On November 17th Joe Weiss, a well-known member of the Industrial Control System (ICS) community, posted on his blog about a recent US water system hack.
Joe points out that the disclosure concerning the Nov 8th supervisory control and data acquisition (SCADA) hack was made by Illinois Statewide Terrorism and Intelligence Center on Nov 10th.
Joe's post stated that the SCADA software vendor was compromised and that customer usernames and passwords were stolen as well as possible physical damage to the utility. He further states that the IP address of the attacker traced back to Russia, which does not provide any attribution but is nevertheless interesting.
Information is still coming out on this event and the DHS has stated that they and FBI are still gathering information but believe none of the information so far indicates a risk to critical infrastructure. However, the concerns this incident raises are valid regardless.
Speaking from a security standpoint, Joe states that a number of actions should be taken including better information sharing with industry, control system cyber security training and policies, and control system forensics.
Joe is probably one of the most experienced and outspoken individuals in cyber security for control systems. When such an expert raises concerns about their own industry it is important to attempt to understand the reason for their concern. I would like to expound upon the actions that should be taken as well as provide my personal opinion on what the compromise means for the ICS and cyber community.
The compromise of a US water facility should be concerning for a number of reasons. Firstly, the idea of anyone or any group (nation state or not) breaking into SCADA and control systems in the US highlights a weakness in our nation's infrastructure.
What is hard to discern though is how many attacks are prevented on a daily basis by the men and women taking up the very difficult challenge of cyber defense. Regardless though, this is a fight that must continue to get support and attention in the cyber community.
Secondly, a water facility has a direct impact over the health of the citizens that it provides. A compromise of such a facility, depending on the scale of the compromise, could reasonably lead to the loss of life. This is to say that the concern for security of the ICS and SCADA community is not and cannot simply be financial.
Lastly, at the 11th ACS Control Systems and Cyber Security conference and this year's Hacker Halted conference I spoke of the intelligence gathering benefits for a hacker to go after the "low hanging fruit" by targeting smaller and lightly protected ICS/SCADA systems.
This enables the hacker to gain information such as usernames, passwords, design documents, and network layout information to leverage an attack against larger facilities.
The reported attack against this water SCADA system, although it is in no way possible to determine at this time, could be this style of attack. This is important to think about in regards to what future attacks may hold, what the motives for the attacks are, and what attacks may currently be going unnoticed.
Even more concerning, if the damage the water facility's pumps experienced is related to the hack, which is reasonable to state but currently unverified, then comparisons between it and Stuxnet are instantly drawn. Stuxnet was an advanced piece of malware whereas, at first look, the methods used to compromise the water utility were very basic.
However, what did Stuxnet accomplish? It was a piece of code that damaged physical components to a facility. This is the same end result as the water utility compromise. If the same end result is achieved and positive attribution is denied then it does not matter how advanced an attack is.
The concerns this raises for the ICS/SCADA community and everyone who uses them, i.e. all of us, are huge. This is literally becoming a matter of life and death and warrants the proper attention and respect.
I reiterate that more information on the report is needed although it does not change the conclusion. The report of the attack itself highlights that ICS/SCADA systems are continually targeted by hackers.
All speculation aside, the fact that our ICS/SCADA systems are being targeted should be concerning to the cyber community as a whole. I've had the privilege of meeting with members from the ICS-CERT, DHS, ICS community, and military community who are very intelligent, experienced, and passionate about cyber security for control systems.
However, it should not fall on them alone to protect our national infrastructure. There must be more community involvement in the form of pushing legislation, a desire for training, regulations that are able to support national defense, and community sharing to tackle these issues.
Furthermore, Joe's point on establishing proper cyber forensics for control systems is one of the most important aspects of security. Expecting to prevent all compromises especially concerning lucrative targets such as ICS and SCADA systems is not reasonable.
However, detecting an attack, what all was accessed during the compromise, and working towards positively attributing the compromise to the attacker is the most effective way of establishing a deterrent to protect these systems and human lives.
In cyberspace the best line of defense is the front line. Once an attacker makes it past the initial barriers to entry it becomes easier through information gathering and network enumeration to compromise a system.
These front lines, including smaller control systems, must be protected as seriously as the larger systems. It is up to all of us to drive discussions and changes that can protect them.
Robert M. Lee is a Cyberspace Officer in the United States Air Force; however this post and his views do not represent the US Air Force, Department of Defense, or US Government. The opinions held in this post are his alone and this post was written outside of a military capacity.