After reading the story about a malicious hacking exploit that resulted in the burnout of a water pump at a utility in Illinois recently, I decided to see if I could get a more comprehensive idea of how many similar incidents have been reported. The chaos and damage that might result from well-executed cyberattacks on our electrical grid and other infrastructure targets has been largely theoretical so far (on a wide-scale basis), but it’s a possibility that, no doubt, disturbs the dreams of many security experts at government agencies and elsewhere.
First, here’s the gist of what happened in Illinois. A hacker managed to infiltrate a SCADA system for the Curran-Gardner Township Public Water District that managed the water pump. After setting it to continually power on and off, the pump eventually failed. That’s bad enough, but the attack, which is said to have originated from a server in Russia, was not a model of sophistication. It exploited an extremely vulnerable instance of phpMyAdmin — a level of security maintenance that one Sophos analyst described as almost “criminally negligent” in the Information Week report. This incident, in turn, inspired another exploit at a water treatment facility in Texas.
In trying to get an idea of how many of these incidents are actually occurring, I found the website, Privacy Rights Clearinghouse. It is mostly aimed at helping inform and empower consumers about privacy issues of all kinds, but one of its features is the searchable Chronology of Data Breaches database that they have been compiling since 2005. So for instance, if you want to see how many instances of hacking and malware resulted in reported breaches at a government/military organization in 2010-2011, you would select from the boxes and brace yourself for the list.
Yikes! And of course, what shows in the results is just what has been publicly reported — along with a few sentences about what was compromised and how. Neither of the recent utility intrusions were in the list — at least not yet — but I thought the database was still pretty intriguing on its own. Whether you’re using it for research, compiling some examples for a cautionary presentation, or just curious as to the current state of security lapses, this site might be a useful reference for you.
And on the subject of what led me to PRC, I was struck by the Illinois incident because it represents one of the first actual exploits against a utility that resulted in a loss of control and physical damage of a public system — not just a breach that revealed sensitive data or a Stuxnet-type worm targeting particular software. Are there others that I’m just not aware of, or is this the vanguard of a disturbing new trend? Feel free to offer your own take on how serious the threat is for a wide-scale disruption of critical infrastructure components via a cyberattack.