Michael Welch, deputy assistant director of the FBI's Cyber Division, revealed that three U.S. cities recently experienced significant network intrusion events by unnamed attackers by way of poorly secured supervisory control and data acquisition (SCADA) networks.
Welch made the disclosure recently at the Flemings Cyber Security conference in London.
SCADA systems provide operations control for critical infrastructure and production networks including manufacturing facilities, refineries, hydroelectric and nuclear power plants.
"We just had a circumstance where we had three cities, one of them a major city within the US, where you had several hackers that had made their way into SCADA systems within the city," Welch said.
The intrusions were characterized by Welch as "sort of a tease to law enforcement and the local city administration, saying 'I’m here, what are you going to do about it.' Essentially it was an ego trip for the hacker..."
While Welch downplayed the intrusion, he was candid about the potential for mayhem had the attacker's intentions been more malicious.
"He had control of that city’s systems and he could dump raw sewage into the lake, he could shut down the power plant at the mall – a wide array of things."
Welch would not specify it the intrusions he was referring to included the recently reported attacks against the Curran-Gardner Public Water District in Springfield, Illinois and another against networks at a water treatment facility in South Houston, Texas.
SCADA security in a post-Stuxnet environment has been a hot topic this year. Last May security researcher Dillon Beresford cancelled a scheduled presentation at the Takedown Conference on a SCADA exploit proof-of-concept after consulting with representatives from Siemens and the Department of Homeland Security over security concerns.
Beresford and his team's work was being described as being akin to a homemade cyber weapon comparable to the infamous Stuxnet virus. Stuxnet is a highly sophisticated designer-virus that wreaks havoc with SCADA systems, and the Stuxnet virus is thought to have caused severe damage to Iranian uranium enrichment facilities which reportedly set back the nation's nuclear program several years.
In March, a separate set of researchers released details on dozens of SCADA systems vulnerabilities, and some of the vulnerabilities could allow attackers access to critical data located in system configuration files, while several others would allow the remote execution of malicious code.
The unprecedented release included thirty-four proof-of-concept exploits for common SCADA software including those produced by Siemens, Iconics, 7-Technologies, Datac, and Control Microsystems.
Market analysis and consulting provider Pike Research recently released a report examining the current state of utility cyber security, and the prognosis is far from comforting.
The report, titled Utility Cyber Security - Seven Key Smart Grid Security Trends to Watch in 2012 and Beyond, concludes that "Utility cyber security is in a state of near chaos. After years of vendors selling point solutions, utilities investing in compliance minimums rather than full security, and attackers having nearly free rein, the attackers clearly have the upper hand. Many attacks simply cannot be defended..."
The FBI, DHS, and regulatory agencies have taken note of the increased threat level to SCADA systems and cyber threats in general, and cybersecurity issues are being met with "a huge growth factor," Welch stated.
"A big part of what we do is private sector liaison. At no time in our history have we had to stretch the definition of what constitutes crime more than we do now," Welch explained.