Brian Krebs has a great article on his blog about the recent cyber attack on a city water utility in Illinois. Wired and others have also been covering the story as it evolves. I’m not going to rehash the news. Who did it might perhaps be marginally interesting, as might be their motive. While I’m not suggesting we excuse criminal behaviour, burning out a water pump by turning it on and off is most certainly not the worst thing one could do upon seizing remote control of a water facility.
For those new to the topic, the security of Supervisory Control and Data Acquisition (SCADA) systems has been a concern for years. For example, Andrew Hildick-Smith’s 2005 paper discusses Security for Critical Infrastructure SCADA systems. I’m not convinced that I completely agree with Mr. Hildick-Smith’s approach, but the fact that he wrote this paper as a practical assignment for a security certification back in 2005 illustrates that this problem is certainly not unknown.
Assuming reports are correct and that an intruder was able to hack into a SCADA system from outside, this incident is another example of how basic security fundamentals are being ignored in the critical infrastructure sectors. Given the current state of SCADA systems, neither the devices nor the computers that control them should be accessible from any other network, and they also require protection against insider threats. The risk is simply too high.