Recently we were shocked and then relieved after learning that a possible cyber-attack on a public water supply in Illinois wasn’t an attack at all. The “Russian hacker” that “attacked” a water pump, turned out to be a fellow American contractor on vacation in Russia, who was asked to check the computerized system remotely. After this turn of events who can be serious about the possibility of a cyber-attack on water supply utilities? Many industry experts – that is who.
Security experts’ reasoning is based on the fact that a similar event already had taken place in March 2000 on Queensland’s Sunshine Coast, Australia. The newly constructed water supply and sewage system at Maroochy Water Services suddenly shut down and was operating erratically. All operations of the 142 sewage stations were controlled by two monitoring stations through a supervisory control and data acquisition (SCADA) system. The SCADA system’s inside communications were done wirelessly using three radio frequencies.
The civil engineer in charge of the water supply and sewage systems at Maroochy Water Services, Robert Stringfellow, was facing multiple issues. Alarms were coming from the pump stations for no reason. Pumps were stopping suddenly without any alarms or running nonstop. Communications failed as a result of an unexplained increase in radio traffic. Initially a poor installation of the SCADA system was blamed.
After the software was reinstalled and all field components of the SCADA system were double checked, Robert Stringfellow realized that changes in the SCADA software settings were far beyond the ability of the system to modify settings by itself. Stringfellow started to look for an external intruder and eventually found him. The hacker turned out to be a former contractor, Vitek Boden, who originally installed the SCADA system.
Maroochy Shire Council had declined to hire Boden as a full-time employee, and in retribution he decided to attack Maroochy’s systems from his home. He used his laptop and a wireless equipment to manipulate and cause problems with the pumps. Boden hoped that he would be hired back to fix the SCADA system’s failures. His “perfect” plan didn’t work, and he ended up in an Australian jail.
Another case of a cyber attack on a SCADA system happened in Southern California in 2008. An IT consultant position for Pacific Energy Resources was a temporary job for Mario Azar. After his assignment ended on May 8, 2008, and the company refused to offer him a full-time job, Azar began to work from home. From May 8 to June 29 Mario Azar used credentials for multiple user accounts to access a SCADA system that monitored three Pacific Energy Resources oil platforms offshore of Huntington Beach. After gaining control, Azar disabled the leak-detection system responsible for the environmental safety of the oil platforms.
In the recent past all well-publicized cases of cyber attacks on SCADA systems were done by former employees. These former employees knew particular SCADA systems well and had security credentials to access them. Working from their homes they successfully attacked critical infrastructures.
Less-known cases are related to attempts of extortion. A computer security company McAfee in its 2009 report gave the following statistics for victims of extortion worldwide by industry: 31% for oil and gas companies, 27% for power utility companies, and 17% for water and sewage utility companies.
Of course, when the Stuxnet computer worm surfaced in 2010, it got all the attention. For the first time the general public realized that cyber-war between nation-states is not limited to blocking government web-sites anymore. By targeting the vulnerabilities of SCADA systems Stuxnet-like cyber-weapons threaten the lives of millions of people. In the shadow of Stuxnet, disgruntled former employees don’t look very dangerous, but the threat from them is very real.
Sources:
1. Lessons Learned from the Maroochy Water Breach by Jill Slay and Michael Miller 2. Wired Magazine. Threat Level. Feds: Hacker Disabled Offshore Oil Platforms’ Leak-Detection System by David Kravets 3. McAfee. In the Crossfire Critical Infrastructure in the Age of Cyber War