Update: U.S. water plants reportedly hit by cyber attacks

In separate incidents, hackers allegedly caused a water pump failure at an Illinois utility and showed off purported access to water supply systems for a Texas city

Security experts have long worried that a knowledgeable hacker could damage the critical infrastructure that supplies power, water, and other utilities to U.S. citizens. The few incidents of cyber attacks on utilities, where details became public, have underscored the danger while at the same time signaling that such attacks may not be common.

Two events this week may change that perception.

On Thursday, a control-systems expert released details of an intrusion into a utility company's control network that lasted at least two months and resulted in damage to a water pump. In a statement, the U.S. Department of Homeland Security inadvertently identified the location of the utility company as Springfield, Ill. 

"This isn't hypothetical any more, where people write about what could and what may happen," said Joseph Weiss, a managing partner at Applied Control Solutions and the person who released details from the report. "This keeps going back to what somebody has done. We don't know what is going on and there is no guidance out there yet. The concern is how many others have been compromised."

However, City Water, Light & Power, the utility provider for the city, denied that it was the target of the attack. "Various reports have falsely identified City Water, Light and Power in Springfield, Ill., as having experienced a cyber security breach," the company said in a statement. "CWLP has not had any breach of its Water or Electric Department supervisory control and data acquisition (SCADA) systems." SCADA is the computer control network that operates various systems at the utility.

Whether or not CWLP is the breached utility firm, attacks on critical-infrastructure companies appear to be a trend. Today, a hacker posted images and details purportedly from the systems that control the water supply for the city of South Houston, Texas. A series of five images shows the various water levels at different pumping stations and appears to indicate the user has the ability to enable and disable equipment.

"The city of South Houston has a really insecure system. Wanna see? I know ya do," a hacker using the handle "pr0f" said in a post on Pastebin that links to the five images. In a separate email interview, the hacker added that he considers himself part of the Anonymous movement but separate from AnonOps.While he may not have had control over much of the water system, he likely could have turned pumps on and off, if he wanted, the hacker said.

"I wouldn't even call this a hack, either," he added. "This required almost no skill and could be reproduced by a two year old with a basic knowledge of Simatic [control software]."

The inadvertent identification of the victim's location in the first attack may make utilities less forthcoming with information about security incidents at the same time that industrial-control specialists are calling for more details. In the alleged City Water, Power & Light incident, for example, the attackers got the usernames and passwords for the system from a third-party supplier, raising the specter that other utilities could already have been breached, ACS's Weiss says.

"This is our version of the RSA attack," Weiss said. "What we don't know is what other SCADA systems are compromised as we speak."

This story was updated on Nov. 18, 2011.

This story, "U.S. water plants reportedly hit by cyber attacks," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Copyright © 2011 IDG Communications, Inc.

How to choose a low-code development platform