The only thing that was certain, in the initial days following the report of an alleged cyber-security breach at a Springfield, Ill. public utility water pump, was that no one seemed sure what exactly had happened. This Wired article, H(ackers)2O: Attack on City Water Station Destroys Pump asserted that cyberattackers managed to electronically access the utility’s SCADA (Supervisory Control and Data Acquisition) systems and then damage the pump by repeatedly turning it on and off.

Days following the report, however, the U.S. Department of Homeland Security (DHS)  said it was investigating the incident and that it didn’t have any evidence that an attack was actually the cause of the damage to the pump. About a week later, it became clear that, according to The Washington Post, the water-pump failure in Illinois wasn’t a cyberattack after all, but was caused by a plant contractor who remotely accessed the pump while traveling.

That conclusion didn’t come before hundreds of blog posts and news stories; some detailed in this Time Techland post, Hackers Blow Up Illinois Water Utility...or Not surfaced citing the attack as fact.

Within that time period, and completely separate from the Springfield incident, a hacker who goes by the name of “Pr0f” published what he called evidence of an attack on a “really insecure” SCADA system in South Houston. Pr0f said the catalyst for the attack he claimed to have conducted was the DHS’s downplaying the lowly state of national infrastructure security.

In a subsequent interview, Pr0f said his attack didn’t require much “hacking” to complete. He told the security Web site Threatpost that the password used to protect those systems was three characters and very easy to guess. 

Both incidents highlight the challenges surrounding industrial control system security and some steps that can help improve security and a quick and accurate response to events. The basic tenants of these systems are accessibility, availability and continuity of services – security can’t disrupt these systems. However as recent examples show, there is a need to quickly get an understanding of whether the event was simply an accident, or the act of a hacker. Forensic technology can help system administrators make a rapid determination without system disruption. Additionally, more rapid information sharing among state and federal agencies could help. Finally, and also very important, those running industrial control systems need to take a close look at the security of their infrastructure as a whole. 

When taking a look at their attack surface, critical infrastructure managers still need to start with the basics. They need to take an inventory of their connected systems, look at all traffic ingress and egress points, and disconnect systems that don’t need to be connected to the Internet. Those systems that are connected need to be managed with the proper security controls, such as firewalls, access controls, and authentication, but implemented in such a way as to not disrupt the accessibility, availability and continuity of those systems. Vendor-supplied passwords don’t cut it - and certainly neither do three letter passwords. Also, it’s always a good idea to look at SCADA systems periodically for vulnerabilities, in the same way a potential attacker might.

And with all of that, it’s important to always monitor those systems for unwanted, and potentially malicious changes that may come with the installation of Trojans, worms, botnets, remote monitoring and control software, and other common forms of malware.

Anthony Di Bello is product marketing manager at Guidance Software.