Cyber attacks hit US water utilities
22 Nov 2011
Lantzville, British Columbia – Details have emerged of cyber attacks at two US water utilities – one on the water SCADA system at the Curran-Gardner Township Public Water District, in Illinois, the second at a water utility in the City of South Houston.
An article posted by Eric Byres on www.tofinosecurity.com website cites a number of media sources and a report by the Illinois Statewide Terrorism and Intelligence Center reporting that a water district employee had noticed problems with a SCADA system on 8 Nov. A check on the computer logs of the SCADA system found that it had been remotely hacked into from an Internet provider address located in Russia.
Over a period of two-three months, minor glitches have been observed in remote access to the water district’s SCADA system. Recently, the SCADA system would power on and off, resulting in the burnout of a water pump, according to one report.
According to Byres, the attackers had apparently breached the IT systems of the company that either manages or makes the SCADA systems used at Curran-Gardner and stole customer usernames and passwords. The attackers then used this information to infiltrate the Curran-Gardner SCADA system.
Around the same time, in a separate incident, a hacker using the name “pr0f” or “@pr0f_srs” published information of a successful penetration of the South Houston Water Utility. This attacker, said Byres, used an unrelated technique to gain access to the water utility and then posted several screenshots of the control system on PasteBin.
Byres said Pr0f made it very clear that his was not a malicious attack, only a proof-of-concept to show that many SCADA systems are very insecure:
“I dislike, immensely, how the DHS tend to downplay how absolutely (expletive deleted) the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done. So, y’know … the city of South Houston has a really insecure system. Wanna see? I know ya do.”
“I’m not going to expose the details of the box. No damage was done to any of the machinery; I don’t really like mindless vandalism. It’s stupid and silly.”
“On the other hand, so is connecting interfaces to your SCADA machinery to the Internet. I wouldn’t even call this a hack, either, just to say. This required almost no skill and could be reproduced by a two year old with a basic knowledge of Simatic.”
According to Byres, Pr0f then posted a second articulate in which he made some good points in explaining why he did the attack:
“It’s not as grim and war-like as the media are making it out to be, at all. ’Cyber war’ and all of that is little more than hype, and I’d like to address that in a moment. But it is a sign that the security-poor institutional culture in automation needs changing, and needs changing fast…
I would like to go on record and say that the main reason I did what I did yesterday was essentially because I know I am not the only person with an interest in these systems. I also know I am not the only person who has explored them and read up on them. However, at least I am going public (ish) and trying to draw attention to the topic…
I don’t think I am alone in suggesting that the gravity of the problem is more serious than ICS-CERT and similar are equipped to deal with. I would love to see some real reform and discussions between the government, manufacturers of ICS, and people who use these systems happening, because there seems to be a huge disconnect between the parties involved.”
Byres concluded his report on these developments with the comment that many companies and many industries are still not taking security seriously:
“Even these two incidents probably won’t be enough of a wakeup call for most companies. I just pray that it won’t take a disaster to get the SCADA users, vendors and government moving toward making our critical infrastructures more robust and secure.
Eric Byres’ thoughts on how to make passwords work for SCADA systems:
Now while Pr0f has been obviously following the latest in hacking techniques, it is clear that the team at the South Houston Water Utility is not staying current with even the most basic guidelines on good security passwords. Here are my thoughts on passwords, and some suggestions on dealing with a very imperfect security mechanism.
Passwords are a bad idea on many levels, starting with the fact that expecting people to remember strong passwords simply defies all understanding of human behavior.
As Michael Schrage outlined in his MIT Technology Review article, “The Password Is Fayleyure” (March 2005, see download at the end of this article), passwords “perversely inspire abuse, misuse, and criminal mischief by deliberately making users the weakest link in the security chain.” Basically, we have chosen a technology that is almost impossible for humans to manage or remember, but trivial for computers to crack, and then called it security.
Numerous studies have shown that when faced with the difficulty of remembering “strong” passwords, people routinely pick simple passwords that are found in dictionaries and susceptible to brute force attacks. Furthermore, they use the same passwords over and over again, so that the successful guess of a single password means that numerous other devices can be exploited.
The situation in process control environments is even worse. Instead of one person having to remember a password to access a personal workstation, SCADA equipment access is often shared with an entire group, resulting in even simpler passwords that are common to multiple devices.
This reuse of passwords has nasty consequences when combined with the many SCADA products that have broken password systems - check many PLC or RTU systems and you will find the passwords being sent in plain text over the network.
During an analysis of an oil refinery, I discovered that the PLC password that was trivial to capture off the network was the same one that the controls group used for accessing more robust systems like Windows servers. Once I had the PLC password, I could happily log into the servers as an administrator. At least if they had stuck with the PLC manufacturer’s default passwords, I would have had to work harder to crack the server’s passwords.
Memorable, yet effective, passwords
Since we are stuck using passwords, I do have a few thoughts on how to make the best out of a bad situation. First, there is good guidance on how to pick memorable, yet more difficult to crack passwords. One of my favorites is from the paper “Password Memorability and Security: Empirical Results.” The authors showed that security can be significantly improved if administrators provide explicit guidance on how a password should be chosen.
They also provide examples on developing that guidance and my favorite is the following (paraphrased from the paper):
“Choosing a good password is critical to maintaining the security of this system. To construct a good password, create a simple sentence of 8 or more words and choose letters from the words to make up a password. You might take the initial or final letters; you should put some letters in upper case to make the password harder to guess; and at least one number and special character should be inserted as well.
An example is the phrase “It’s 12 noon and I am hungry” which can be used to create the password “I’s12n&Iah”. Under no circumstances should the password contain a word that could be found in a dictionary, is a product or area name or be made up of only letters or numbers.”
It is also critical to make sure passwords used for weak systems (like PLCs) or weak protocols (like FTP or HTTP) are not the same as the passwords used for stronger systems. One client rated their control systems in terms of password robustness and then had “throw-away” passwords for systems that sent passwords over the network in plain text.
Frankly, I think passwords as a whole are a complete security disaster - unfortunately one that we are going to have to live with for a few years to come. Since we are stuck with them, I would like to hear what real SCADA and process control engineers are doing about their passwords on the plant floor. Send your ideas and questions and together we will make our systems more secure.
