Weak security defenses threatening utility networks
In recent weeks, several cyberattacks have exposed crucial energy grid weaknesses. However, according to both hackers and security experts, some of these vulnerabilities could have been eliminated with something as simple as password manager software.
According to InformationWeek, federal authorities have been called in to investigate a network breach at Illinois' Gardner Township Public Water District - a facility serving approximately 2,200 local citizens. The perpetrator was able to gain access to privileged control systems and ultimately cause the failure of one water pump due to overuse.
"Department of Homeland Security and the Federal Bureau of Investigation are gathering facts surrounding the report," DHS spokesman Peter Boogaard told reporters in an issued statement. "At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety."
However, these assurances have done little to quiet speculation regarding a possible act of cyberterrorism.
According to InformationWeek, the attack appears to have been launched from servers located in Russia. Critics were also disappointed to learn that the exploit was not discovered until the pump ultimately failed, and the malicious programming may have taken place as early as September.
But perhaps more concerning than the incident itself are the glaring weaknesses in the system security provisions.
Reports have surfaced suggesting that some of the network's primary control systems were running an open source software known as phpMyAdmin.
"I run a reasonably low-profile, small website for myself and some friends and at one point had installed phpMyAdmin to assist them with daily SQL management chores," explained Sophos online security expert Chester Wisniewski in a recent blog post. "I removed it four years ago after a never-ending stream of severe vulnerabilities made it too risky for my 'play' site."
Wisniewski went so far as to call the government's practices criminally negligent, considering more than 105 phpMyAdmin flaws had already been registered with the National Vulnerability Database.
In an interview with Threatpost, a hacker has come forward from the online community to suggest he has had similar success exploiting weaknesses in a water treatment plant outside of Houston. Using the internet handle "pr0f", the hacker explained how he was able to to gain restricted access to the network with a simple three-character password.
"This was barely a hack," pr0f explained in the interview. "A child who knows basic human machine interface that comes with Simatic works could have accomplished this."