Water utilities across the country are being urged to step up their cybersecurity in the wake of two incidents in which hackers gained access to computer systems that control pumps, pipes and reservoirs.
“We have alerted our members to these two possible incidents and advised them to monitor their [computer] systems and review their protection” procedures, Michael Arceneaux, deputy executive director of the Association of Metropolitan Water Authorities, told The Washington Times.
Federal officials said they were investigating, but downplayed the incidents, saying there was no evidence of a threat to public safety.
Earlier this month, the Illinois Statewide Terrorism and Intelligence Center reported a cyber-attack on a small, rural water utility outside Springfield. Hackers, apparently based in Russia, gained access to the utility’s computer systems and burned out a water pump by turning it on and off repeatedly, the center said in a bulletin dated Nov. 10. If the report is correct, it would the first cyber-attack against U.S. infrastructure by foreign hackers.
On Friday, a hacker calling himself “Pr0f” posted screen shots from his computer showing him logged onto the control system of a water utility in the Texas town of South Houston. He said he had hacked the system to demonstrate the “insanely stupid” attitudes of federal officials who were playing down reports of the Springfield attack.
“I wouldn’t even call this a hack,” Pr0f wrote. “This required almost no skill and could be reproduced by a 2-year-old.”
He said the control systems were easily accessible from the public Internet, but that he had not damaged them because “I don’t really like mindless vandalism. It’s stupid and silly.”
In both the Illinois and Texas cases, the cyber-attacks targeted special computerized equipment that remotely controls water pumps, pipelines and reservoirs. Such equipment, known as Supervisory Control and Data Acquisition (SCADA) systems or Industrial Control Systems (ICS), is widely used by water and sewage systems, power stations, oil refineries, chemical plants and other vital industrial infrastructure in the U.S. and around the world.
ICS increasingly has been the target of hackers since the Stuxnet cyber-attack crippled the Iranian nuclear program in 2009.
“We’ve been advised that there may have been a cyber-attack against our SCADA system,” Donald M. Craven, one of seven elected trustees of the Curran-Gardner Public Water District near Springfield, told The Times on Sunday.
The Department of Homeland Security and the FBI “are gathering facts surrounding the [Illinois] report,” Homeland Security spokesman Peter Boogaard said Friday. “At this time, there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”
“I dislike, immensely, how the DHS tend to downplay how absolutely [expletive] the state of national infrastructure is,” Pr0f responded.
A Homeland Security Department spokesman had no immediate response to Pr0f’s comments.
Rep. James R. Langevin, Rhode Island Democrat and a member of the House Permanent Select Intelligence Committee, predicted more and worse cyber-attacks on civilian U.S. infrastructure.
“These sorts of incidents are only going to become more and more common as we delay necessary reforms that would make our SCADA systems more secure,” he said.
Mr. Langevin told The Times that the owners and operators of U.S. water and power systems and other infrastructure are “dragging their feet in terms of improving their computer security” to protect their systems from hacking.
Whatever the truth of the Illinois and Texas incidents, “We know this can be done,” he said, describing it as “massive risk we’re facing as a country.”
The Illinois report says the hackers likely had access to the system for several weeks. The attackers got access using passwords stolen from a company that sells ICS, meaning that other systems across the country also might be vulnerable to the hackers, according to SCADA security specialist Joseph Weiss, who first made the Illinois report public.
“This is a giant issue for the SCADA community,” said Air Force Lt. Robert M. Lee, who has worked on SCADA cybersecurity issues.
If the Illinois report is correct, the attackers “created the same outcome that the Stuxnet achieved with Iranian centrifuges,” he said.
The Stuxnet attack destroyed hundreds of Iran’s uranium-enriching centrifuges by making the SCADA system spin them at ever-higher speeds until they shook to pieces.
“If I’m a foreign intelligence service, looking for ways to attack U.S. infrastructure,” Lt. Lee said, “I’m going to do my homework, my intelligence gathering, in a smaller utility” like Curran-Gardner, where it is less likely to be noticed.
Mr. Langevin said it is “more likely that not” that the U.S. would “suffer a major cyber-attack [on critical infrastructure] in the near future.
“We’re very, very vulnerable if we don’t act,” he said.
• Shaun Waterman can be reached at 123@example.com.
Please read our comment policy before commenting.