
A HACKER virtually tiptoeing around a Texas water plant, and a burned-out pump at an Illinois water treatment facility: both incidents, which happened last month, made headline news because cybersecurity breaches seemed to be behind them, though no one was harmed.
Initial reports said Russian hackers were behind the Illinois accident. While officials there is 鈥渘o evidence鈥 that this was the case the two events illustrate how worried people are that vital infrastructure is vulnerable to cybercrime.
News of the suspected attacks came as a study revealed that poor cybersecurity measures in the Netherlands water industry could let attackers contaminate water supplies or cut them off entirely, holding whole nations to ransom.
Advertisement
Help could soon be at hand: a 鈧5 million European Union project called PRECYSE begins in January to develop technologies to combat attacks on infrastructure like water networks, electric grids, oil pipelines and chemical plants.
Undertaken by the Dutch research lab , based in The Hague, the water industry study examined the security measures taken by the 10 companies that control the Netherlands鈥 drinking water. At issue are the Supervisory Control and Data Acquisition Systems (SCADAs) which, at a water plant, control processes like water intake, purification, quality control and pumping to homes.
A SCADA sends instructions to shopfloor machines like pumps, valves, robot arms and motors. But such systems have moved from communicating over closed networks to a far cheaper conduit: the public internet. This can give hackers a way in. Eric Luiijf of TNO Defence and his colleagues found a litany of insecure 鈥渁rchitectural errors鈥 in the waterworks鈥 SCADA networks (International Journal of Critical Infrastructure Protection, ).
Some firms did not separate their office and SCADA networks, allowing office hardware failures, virus infections and even high data traffic to potentially 鈥渂ring down all SCADA operations鈥. While remote internet access to SCADAs is supposed to be possible only with strict security controls, the researchers found this was often not the case. And some water firms allowed third party contract engineers to connect laptops to their SCADA network with no proof they were running up-to-date antivirus software. Indeed, it has emerged that a US contractor logging on to check the Illinois water plant from Russia, while he was away on holiday, was behind the Illinois 鈥楻ussian hacker鈥 scare.
This was compounded by news of the hack at the Texas water plant, where on 20 November a hacker named 鈥減rof鈥 using a three-character default password on an internet-accessed SCADA made by Siemens of Germany. 鈥淣o damage was done to any machinery; I don鈥檛 really like mindless vandalism. It鈥檚 stupid and silly. On the other hand, so is connecting your SCADA machinery to the internet,鈥 he
聯A hacker gained access to the water plant鈥檚 systems using a three-character default password聰
One of PRECYSE鈥檚 main approaches to securing systems will be 鈥渨hitelisting鈥, a way of ensuring only authorised users obtain access. This is the opposite of the approach used by antivirus software. 鈥淚nstead of hunting for malicious code, as in an antivirus blacklist, this only lets the known good guys connect,鈥 says security engineer Sakir Sezer at Queens University Belfast in the UK. Unusual behaviour 鈥 such as attempting to extract the control codes used to drive equipment 鈥 would also mean access is blocked. Deep-packet inspection, normally used to spot copyrighted material on the net, could be harnessed to ensure no attack code is injected.
But it won鈥檛 be easy. 鈥淭he biggest risk we face is that of denying the legitimate user access to their SCADA because something in the security setup has changed,鈥 says Sezer. 鈥淵ou don鈥檛 want to create a denial of service attack against yourself.鈥
The systems have other enemies, too. The Stuxnet worm, which attacked Siemens SCADAs in Iran鈥檚 uranium-enrichment facility in Natanz, wrecked 400 machines. Duqu, a relative of Stuxnet spread in Word files, is currently probing SCADA networks seeking out control instructions.
The battle for the safety of our utilities has only just begun.
