Item 1 - Pennsylvania Water Hack I’m sure most of you have seen this since emails are flying around, but just in case, ABC News has a story on a hack of a water control system in Pennsylvania in October. 

A couple of quick points:

1. This is a standard IT attack and the exploit was just trying to use IT resources according to the story. Control systems have to protect against all these types of attacks, plus worry about SCADA applications and protocols that were not designed with security in mind.
2. If you still have a boss that believes a firewall at the perimeter stops all threats and security on the control center is not an issue, show them this story as just one example.

The best news is we may now finally see less about the very old Australian Wastewater Hack, but this story is not as interesting so don’t count on it.

2. SANS/Alan Paller Comment from Federal Executive Leadership Conference

Questions were raised about our veracity after we mentioned industrial control systems (that run dams and power plants and pipelines and more) had actually been penetrated by criminals. Yesterday at the Federal Executive Leadership Conference in Williamsburg, VA, a representative of the Intelligence Community confirmed to 200 senior government and industry people that multiple critical infrastructure organizations had been penetrated and threatened with major outages if they did not pay extortion. The additional data made public yesterday was that all known extortion attacks against control systems took place were outside the US. US utilities and pipeline companies will not confirm or deny that they, too, have been victimized and have paid extortion.

In an earlier blog entry, I did question Alan’s comment that the community “can count on rapid expansion of this type of crime” and requested more details to understand what the true threat was in those multiple instances.

Certainly a U.S. Government representative standing up in a big room and saying this on the record is useful information and thanks to Alan for reporting it.

Again I’m left wanting more information to understand the threat. If I could ask three questions they would be:

1. Did the attackers penetrate the control system and have the potential to control the process? Eliminate the ability for the company to control the process?
2. What communication channel did the attacker need to cause the outage (the Internet, remote access, etc.)?
3. What class of vulnerability did the attackers use to gain control of the system (missing patches, default credentials, unprotected remote access, zero-day, etc.)?

The main idea in these questions is to determine if there is anything unique to control systems in these multiple cases or it is simply due to the fact that this is occurring to networks and organizations with control systems have networks.