Hackers have reportedly breached the systems of two U.S. water utility companies, potentially causing physical damage in one case.
It is believed that online miscreants breached the systems of a company that makes supervisory control and data acquisition (SCADA) systems, used to manage operations at critical infrastructure facilitates, and stole customer usernames and passwords, Joe Weiss, managing partner of SCADA security firm Applied Control Solutions, said in a blog post Thursday. The attack was traced back to an IP address located in Russia.
The incident was first disclosed in an Illinois state government report, according to Weiss. The affected water utility noticed minor issues in the remote access to SCADA system for about two to three months before the problem was identified as a cyberattack.
“There was damage – the SCADA system was powered on and off, burning out a water pump,” Weiss wrote in the blog post.
In a statement sent to SCMagazineUS.com on Friday, U.S. Department of Homeland Security (DHS) spokesman Peter Boogaard indicated that the affected facility was located in Springfield, Ill.
“DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield, Ill," Boogaard wrote. “At this time, there is no credible, corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”
Weiss, meanwhile, criticized the DHS, US-CERT and WaterISAC (Information Sharing and Analysis Center), for failing to disclose the incident to those in the sector.
“Consequently, none of the water utilities I have spoken to were aware of it,” Weiss wrote.
Following news of the incident, a hacker with the alias "pr0f," on Friday posted on Pastebin apparent proof of a separate intrusion into the systems of a South Houston water supplier. The hacker posted images that appear to show the desktop interface of the water utility's SCADA system.
Hacking into a SCADA system is not any more difficult than hacking into any other computer, Dave Marcus, director of security research at McAfee, wrote in a blog post Friday.
“My gut tells me that there is greater targeting and wider compromise than we know about,” Marcus said. “Why? Again, my instincts tell me that there is a lack of cyber forensics and response procedures at most of these facilities.”