Joe Weiss, a managing partner for Applied Control Solutions, published barebones information on a hack damaging a city water pump that the US Department of Homeland Security indicated happened in Springfield, Illinois. The Register caught the story and unravels it a bit. From the highlights, it looks like hackers gained unauthorized access to the water utility via leaked passwords and not an exploit.

Weiss only published the minimal information because he didn’t want to disclose the location, but he did want to make the severity of the attack and its implications as clear as possible.

Weiss cited an official government report from the state where the regional water district was located. It was dated November 10, two days after the hack was discovered. The document indicates that the utility had been experiencing unexplained problems with its computerized system in the weeks leading up to the breach.

“Over a period of two to three months, minor glitches had been observed in remote access to the water district’s SCADA system,” Weiss said during an interview, in which he read a verbatim portion of the document to The Register. He said that the attackers were able to burn out one of the utility’s pumps by causing either the pump or the SCADA system that controlled it to turn on and off “repeatedly.”

[…] “This is really a big deal, and what’s just as big a deal is what isn’t being said or isn’t being done,” Weiss said. “What the hell is going on with DHS? Why aren’t people being notified?”

The DHS responded through a spokesman, “DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield Illinois. At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”

According to security researchers, these systems are connected to the Internet in ways that they shouldn’t be. Many critical infrastructure systems contain unnecessary remote control mechanisms that can be accessed via the Internet and the proper passwords; therefore, with the proper codes, an attacker could reach out and fiddle with the devices from across the world. It makes the possibility plausible enough.

We’ve already seen that insidious malware can wreak havoc against infrastructure systems with the advent of Stuxnet and now the emergence of the Duqu worm—said to be at least genetically related codewise to the malicious virus that caused chaos for Iranian nuclear processing.

The real problem noted by Weiss is that he believes that attackers infiltrated the systems via stolen passwords of multiple customers of the SCADA system. This means that multiple industrial facilities could be vulnerable to this sort of intrusion. To make matters worse, many of these same facilities rely on hard-coded passwords that cannot be changed easily.

If these systems must be connected to the Internet, infrastructure critical facilities should really be hidden behind VPNs and heavily restricted in access. Having a door to a secure room with a hardcoded locking mechanism is not that much of a problem if an intruder must first go through several spheres of security first (outer gate, inner gate, hallway monitor.) In many cases, security can be about mitigating risk versus convenience and it doesn’t seem that people should be manipulating a city water pump remotely often enough that the inconvenience of a two or three-factor authentication would really be that bad.