Eight Elements of Complete Vulnerability Management
Eight essential elements to help reduce your vulnerability to hackers.
Perhaps you heard the news that federal investigators are looking into a report that hackers attacked a water system in Illinois. Allegedly, hackers based in Russia were able to remotely shut down a water pump at a facility near Springfield. According to Reuters:
The attackers obtained access to the network of a water utility in a rural community west of the state capital Springfield with credentials stolen from a company that makes software used to control industrial systems, according to the account obtained by Joe Weiss, a prominent expert on protecting infrastructure from cyber attacks. It did not explain the motive of the attackers.
The Department of Homeland Security (DHS) has said that, while DHS and the FBI are investigating the matter, right now there is no credible threat to public safety or a risk to public infrastructure. As of this writing, we don't know if this alleged attack was isolated or part of a larger plan.
Let's be honest here - we all had to see this coming. Not this exact attack, but something similar. The Stuxnet attack on an Iranian nuclear plant proved that cyber criminals have the capability to attack critical infrastructure. There were already questions concerning the security of American utilities. Like I said, we knew it was coming. CBS News posted a story about a twenty-something hacker who claimed he hacked into a Houston-area water utility and other utilities to show how easy it is. Officials in Houston are looking into the claim.
What that young hacker pointed out was just how easy it is to hack into what are known as Supervisory Control and Data Acquisition (SCADA) systems - the highly specialized computer systems that control critical infrastructure ranging from water treatment plants to switches on railroads. The hacker, known as "pr0f," was quoted by CBS:
As for how I did it, it's usually a combination of poor configuration of services, bad password choice, and no restrictions on who can access the interfaces.
He is probably right. SCADA systems put the entire infrastructure - and nation - at risk. As a PC World article put it so clearly, SCADA wasn't designed with security in mind, nor was it designed for the highly connected, Internet-dependent society we are today.
The Illinois water systems hack needs to be a wake-up call to government officials on all levels that the infallibilities of our critical infrastructure have been exposed. Without action, we are a nation of sitting ducks.