Bellovin comments on Krebs blog post about CNN’s report on water supply system breach.
According to press reports, a water utility’s SCADA network was hacked. The attacker turned a pump on and off too much, resulting in physical damage to the pump. This is an extremmely significant incident, for three reasons:
- The attack actually happened.
- Ordinary, off-the-shelf hacking tools were used, rather than something custom like Stuxnet
- Physical damage resulted
This is the scenario that security people and the Dept of Homeland Security have been predicting for years. Sophisticated methods with 0-day vulnerabilities were not needed. When the FBI investigates, will the Curran-Gardner Public Water District (near Springfield, IL) be called out for lax security practices as was Nasdaq?
