Chester Wisniewski, Sophos: US SCADA infrastructure woefully unprotected

November 21, 2011

It has been reported that a SCADA systems failure at a municipal water processing plant may have been caused by hackers infiltrating their network.

The attackers were repeatedly turning a pump on and off until it caused the pump to fail, raising an alert to the operators.

Upon investigation they determined that attackers may have infiltrated the system starting in September 2011, although the attack wasn't discovered until November 8th, 2011.

The notice about the attack noted that it was similar to an attack against the Massachusetts Institute of Technology earlier this year which exploited bugs in the open source software phpMyAdmin.

Reading about this my spidey-sense was tingling... What? They have SCADA control systems hooked up to the public internet? And they are running phpMyAdmin!?!?

I run a reasonably low profile, small website for myself and some friends and at one point had installed phpMyAdmin to assist them with daily SQL management chores.

I removed it four years ago after a never ending stream of severe vulnerabilities made it too risky for my *play* site.

According the the National Vulnerability Database phpMyAdmin has at least 105 reported security vulnerabilities.

It would appear it is common practice these days to connect these sensitive critical infrastructure systems to the public internet and use COTS (Common Off The Shelf) software to manage them.

Convenience and price are always desirable to those responsible for managing these systems, but this is bordering on criminally negligent when you are responsible for our water, power, gas and other sensitive utilities.

The Department of Homeland Security needs to do a top-down audit of these systems and mandate that these insecure practices come to an end.

Within hours of the news breaking on this story a hacker known as pr0f posted images of internal SCADA control systems from the City of South Houston, Nevada.

He insists he hasn't interfered with their operations and is just releasing the information to draw attention to the problem.

Of course that doesn't change the fact that accessing these systems is still a criminal act under the Computer Fraud and Abuse Act.

We may already be at a crisis point with regards to our infrastructure security, but perhaps these stories will be a wake up call for those managing similar systems around the world.

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski.