Hackers have reportedly breached the systems of two US water utility companies, potentially causing physical damage in one case.
A manufacturer of supervisory control and data acquisition (SCADA) systems used to manage operations at critical infrastructure facilitates, was breached and had customer usernames and passwords stolen, according to Joe Weiss, managing partner of SCADA security firm Applied Control Solutions.
The attack was traced back to an IP address located in Russia.
The incident was first disclosed in an Illionis state government report, according to Weiss. The affected water utility noticed minor issues in the remote access to SCADA system for about two to three months before the problem was identified as a breach.
“There was damage – the SCADA system was powered on and off, burning out a water pump,” Weiss wrote in the blog post.
The US Department of Homeland Security (DHS) spokesman Peter Boogaard indicated that the affected facility was located in Springfield, Ill.
“DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield, Ill," Boogaard wrote. “At this time, there is no credible, corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”
Weiss, meanwhile, criticised the DHS, US-CERT and WaterISAC (Information Sharing and Analysis Center), for failing to disclose the incident to those in the sector.
“Consequently, none of the water utilities I have spoken to were aware of it,” Weiss wrote.
Following news of the incident, a hacker with the alias "pr0f," on Friday posted on Pastebin apparent proof of a separate intrusion into the systems of a South Houston water supplier.
The hacker posted images that appear to show the desktop interface of the water utility's SCADA system.
Hacking into a SCADA system is not any more difficult than hacking into any other computer, Dave Marcus, director of security research at McAfee, wrote in a blog post Friday.
“My gut tells me that there is greater targeting and wider compromise than we know about,” Marcus said. “Why? Again, my instincts tell me that there is a lack of cyberforensics and response procedures at most of these facilities.”