Water utilities in Illinois, Houston reportedly hacked

Share this article:

Hackers have reportedly breached the systems of two U.S. water utility companies, potentially causing physical damage in one case.

It is believed that online miscreants breached the systems of a company that makes supervisory control and data acquisition (SCADA) systems, used to manage operations at critical infrastructure facilitates, and stole customer usernames and passwords, Joe Weiss, managing partner of SCADA security firm Applied Control Solutions, said in a blog post Thursday. The attack was traced back to an IP address located in Russia.

The incident was first disclosed in an Illinois state government report, according to Weiss. The affected water utility noticed minor issues in the remote access to SCADA system for about two to three months before the problem was identified as a cyberattack.

“There was damage – the SCADA system was powered on and off, burning out a water pump,” Weiss wrote in the blog post.

In a statement sent to SCMagazineUS.com on Friday, U.S. Department of Homeland Security (DHS) spokesman Peter Boogaard indicated that the affected facility was located in Springfield, Ill.

“DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield, Ill," Boogaard wrote. “At this time, there is no credible, corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”

Weiss, meanwhile, criticized the DHS, US-CERT and WaterISAC (Information Sharing and Analysis Center), for failing to disclose the incident to those in the sector.

“Consequently, none of the water utilities I have spoken to were aware of it,” Weiss wrote.

Following news of the incident, a hacker with the alias "pr0f," on Friday posted on Pastebin apparent proof of a separate intrusion into the systems of a South Houston water supplier. The hacker posted images that appear to show the desktop interface of the water utility's SCADA system.

Hacking into a SCADA system is not any more difficult than hacking into any other computer, Dave Marcus, director of security research at McAfee, wrote in a blog post Friday.

“My gut tells me that there is greater targeting and wider compromise than we know about,” Marcus said. “Why? Again, my instincts tell me that there is a lack of cyber forensics and response procedures at most of these facilities.”

Share this article:

Sign up to our newsletters

More in News

Feds warn health care sector of looming cyber attacks

The FBI believes that the lax security systems that the health care industry has in place make it a prime target for cyber attacks.

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.