Thinq_ reports that a hacker identified as 'pr0f' has provided evidence of a successful penetration of South Houston's water supply network.
The posting is said to have been in response to statements Department of Homeland Security's Peter Boogaard made as reported by The Register regarding apparent damage to a water system in Illinois stemming from a cyber attack.
Boogaard said that the "DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield Illinois. At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety."
The response from hacker 'pr0f' was highly critical:
"This was stupid. You know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely F****D the state of national infrastructure is. I've also seen various people doubt the possibility an attack like this could be done," 'pr0f' posted on Pastebin.
"I'm not going to expose the details of the box. No damage was done to any of the machinery; I don't really like mindless vandalism. It's stupid and silly. On the other hand, so is connecting interfaces to your SCADA machinery to the internet. I wouldn't even call this a hack, either, just to say. This required almost no skill and could be reproduced by a two year old with a basic knowledge of Simatic," 'pr0f' wrote.
News of the network penetration comes on the heels of another successful water treatment system hack disclosed by the Illinois Statewide Terrorism and Intelligence Center on Nov 10th.
These events underscore the widespread vulnerabilities inherant in industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems which govern networks controlling critical infrastructure including power, water, and chemical production among other vital operations.
"A water facility has a direct impact over the health of the citizens that it provides. A compromise of such a facility, depending on the scale of the compromise, could reasonably lead to the loss of life. This is to say that the concern for security of the ICS and SCADA community is not and cannot simply be financial," wrote Robert M. Lee, a Cyberspace Officer in the United States Air Force and Infosec Island contributor.
Lee's statements were not drafted in his official capacity it should be noted.
"If the damage the water facility's pumps experienced is related to the hack, which is reasonable to state but currently unverified, then comparisons between it and Stuxnet are instantly drawn. Stuxnet was an advanced piece of malware whereas, at first look, the methods used to compromise the water utility were very basic," Lee continued.
Stuxnet is a highly sophisticated designer-virus that wreaks havoc with SCADA systems which provide operations control for critical infrastructure and production networks, and the initial attacks are thought to have caused severe damage to Iranian uranium enrichment facilities, setting back the nation's nuclear weapons program by as much as several years.
The report, titled Utility Cyber Security - Seven Key Smart Grid Security Trends to Watch in 2012 and Beyond, concludes that although a great deal of attention has shifted to protecting systems that govern infrastructure over the past eighteen months, utilities have a long way to go in protecting critical networks.
"Utility cyber security is in a state of near chaos. After years of vendors selling point solutions, utilities investing in compliance minimums rather than full security, and attackers having nearly free rein, the attackers clearly have the upper hand. Many attacks simply cannot be defended," the report contends.
One of the main challenges in protecting these networks is the fact that these systems were not necessarily designed with cybersecurity in mind. Rather, the security solutions have been layered on in a piecemeal fashion after the networks were operational, leaving ample room for attackers to compromise their functionality.