Water utilities in Illinois, Houston reportedly hacked

Share this article:

Hackers have reportedly breached the systems of two U.S. water utility companies, potentially causing physical damage in one case.

It is believed that online miscreants breached the systems of a company that makes supervisory control and data acquisition (SCADA) systems, used to manage operations at critical infrastructure facilitates, and stole customer usernames and passwords, Joe Weiss, managing partner of SCADA security firm Applied Control Solutions, said in a blog post Thursday. The attack was traced back to an IP address located in Russia.

The incident was first disclosed in an Illinois state government report, according to Weiss. The affected water utility noticed minor issues in the remote access to SCADA system for about two to three months before the problem was identified as a cyberattack.

“There was damage – the SCADA system was powered on and off, burning out a water pump,” Weiss wrote in the blog post.

In a statement sent to SCMagazineUS.com on Friday, U.S. Department of Homeland Security (DHS) spokesman Peter Boogaard indicated that the affected facility was located in Springfield, Ill.

“DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield, Ill," Boogaard wrote. “At this time, there is no credible, corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”

Weiss, meanwhile, criticized the DHS, US-CERT and WaterISAC (Information Sharing and Analysis Center), for failing to disclose the incident to those in the sector.

“Consequently, none of the water utilities I have spoken to were aware of it,” Weiss wrote.

Following news of the incident, a hacker with the alias "pr0f," on Friday posted on Pastebin apparent proof of a separate intrusion into the systems of a South Houston water supplier. The hacker posted images that appear to show the desktop interface of the water utility's SCADA system.

Hacking into a SCADA system is not any more difficult than hacking into any other computer, Dave Marcus, director of security research at McAfee, wrote in a blog post Friday.

“My gut tells me that there is greater targeting and wider compromise than we know about,” Marcus said. “Why? Again, my instincts tell me that there is a lack of cyber forensics and response procedures at most of these facilities.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.