Security

Warning: This privacy website might depress you

The Privacy Rights Clearinghouse website offers a lot of information on reported data breaches that you might find alarming.

After reading the story about a malicious hacking exploit that resulted in the burnout of a water pump at a utility in Illinois recently, I decided to see if I could get a more comprehensive idea of how many similar incidents have been reported. The chaos and damage that might result from well-executed cyberattacks on our electrical grid and other infrastructure targets has been largely theoretical so far (on a wide-scale basis), but it's a possibility that, no doubt, disturbs the dreams of many security experts at government agencies and elsewhere.

First, here's the gist of what happened in Illinois.  A hacker managed to infiltrate a SCADA system for the Curran-Gardner Township Public Water District that managed the water pump. After setting it to continually power on and off, the pump eventually failed. That's bad enough, but the attack, which is said to have originated from a server in Russia, was not a model of sophistication. It exploited an extremely vulnerable instance of phpMyAdmin -- a level of security maintenance that one Sophos analyst described as almost "criminally negligent" in the Information Week report. This incident, in turn, inspired another exploit at a water treatment facility in Texas.

In trying to get an idea of how many of these incidents are actually occurring, I found the website, Privacy Rights Clearinghouse. It is mostly aimed at helping inform and empower consumers about privacy issues of all kinds, but one of its features is the searchable Chronology of Data Breaches database that they have been compiling since 2005. So for instance, if you want to see how many instances of hacking and malware resulted in reported breaches at a government/military organization in 2010-2011, you would select from the boxes and brace yourself for the list.

Yikes! And of course, what shows in the results is just what has been publicly reported -- along with a few sentences about what was compromised and how. Neither of the recent utility intrusions were in the list -- at least not yet -- but I thought the database was still pretty intriguing on its own. Whether you're using it for research, compiling some examples for a cautionary presentation, or just curious as to the current state of security lapses, this site might be a useful reference for you.

And on the subject of what led me to PRC, I was struck by the Illinois incident because it represents one of the first actual exploits against a utility that resulted in a loss of control and physical damage of a public system -- not just a breach that revealed sensitive data or a Stuxnet-type worm targeting particular software. Are there others that I'm just not aware of, or is this the vanguard of a disturbing new trend? Feel free to offer your own take on how serious the threat is for a wide-scale disruption of critical infrastructure components via a cyberattack.

About

Selena has been at TechRepublic since 2002. She is currently a Senior Editor with a background in technical writing, editing, and research. She edits Data Center, Linux and Open Source, Apple in the Enterprise, The Enterprise Cloud, Web Designer, and...

6 comments
HAL 9000
HAL 9000

I saw an article somewhere today where they are claiming that it's all a Hoax. Depends on the motor type I suppose as it's possible to do and I know I did much worse when I did some Penetration Testing of a Critical Facility. Or another time we setup a Virtual Environment of a Computer Controlled Town things like Traffic Lights where computer controlled and they gave us a challenge to break the system. It took me all of 5 minutes to turn every traffic light green and leave it there. I then when onto the run that Class on Security. :D Col

AnsuGisalas
AnsuGisalas

Finally someone is looking into getting those unsafe installations off the grid... too bad they have to hack them one by one to do it :p

aureolin
aureolin

Just wait until someone discovers that your new 'SmartMeter' electric meter is just an unprotected computer on an unprotected network. Let the fun begin. :-P

Tony Hopkinson
Tony Hopkinson

against that sort of attack in the early 90s, didn't invent the discipline either. Another thing that's not new is hiring incompetents because they are cheaper, or may be not, eh...

HAL 9000
HAL 9000 like.author.displayName 1 Like

It's a great thing that no one else has made any mention of things like this happening previously as no one knows anything about it unless they actually bother to look. Any Computer Controlled System connected to a Phone Line can suffer problems like this or much worse. This has been common Knowledge since the Internet was invented. The only thing that depress me here is that it's being reported as [b]New.[/b] Col

martian
martian

When are you so-called journalists going to get it through your heads that "hacker" is not the correct term to refer to these people? They're "malicious security crackers". PERIOD