Water Utility Attacked, Compromised – the Era of SCADA Attacks Arrives

On October 28 I posted a blog entry about the Sayano-Shushenskaya hydroelectric power plant accident being a model for attacks aimed at industrial controllers and SCADA devices.  Last week the model became reality as an attack damaged a pump at a water plant in Illinois (from Krebs on Security).

To recap my post, I told the story of the 2009 Sayano-Shushenskaya plant where a 900-ton turbine unit lifted 50+ feet into the air due in-part to the failure of an anti-vibration program.  Tragically, 75 people lost their life in the accident.  The region lost a 6,500 MW power station through at least 2014, and power outages affected industrial production on a broad scale.  My point was that a hack of industrial control programs and SCADA devices could disrupt critical infrastructure or be used for industrial blackmail.

The post makes a point that hacks need not be complicated – shutting off a vibration control program being a good example.  The post also ties back the recent Duqu and Nitro attacks as a great example of tools being used by adversaries to gather data to pull off such hacks.

Suddenly this dumb country boy looks prophetic.  Stories began to break last week that an Illinois water plant was hacked and a water pump was rendered inoperable (destroyed feels a bit extreme here) through a hack on industrial control systems on November 8.  The sophisticated method used by the hackers to cripple the pump?  They turned the SCADA system on and off repeatedly until the pump burnt itself out.

Those shifty hackers! They managed to subvert the oldest, most tried and true technique for fixing almost anything electronic – turning it off and turning it back on.

Seriously, this is the first attack (we know about at least) on a SCADA/industrial control system since the story broke about Stuxnet.  Given how quickly DHS stepped in to deny it was a hack, I think it is safe to assume there have been others.  Not quite as dramatic as a 900-ton turbine unit destroying a hydroelectric plant, but no less effective in disrupting infrastructure.  Regardless, I think we are seeing the adversary try new tradecraft on smaller utilities that are less heavily protected than their brethren serving large populations.  The proverbial velociraptors systematically testing the fences.

My next prediction? You will see more such stories in the near term as the exploration process continues and the tradecraft is refined.  Some industry analysts, pundits and experts will call concerns about such attacks marketing FUD and over reaction.  As the stories grow more frequent, people will get numb to the warnings.

Until something happens that is truly disruptive.  My last prediction: it is not “if” but “when”.

Update 12/1/2011:

Wired Magazine has confirmed that there was actually no hack per the official stance of the FBI and DHS.  This article contains a summary of the circumstances behind the reported hack. I stand corrected.

It should be noted that an article in Information Age actually used an FBI source to report that SCADA systems had been compromised elsewhere.