According to an ABC News report and InfoWorld, hackers gained unauthorized access to the computer systems at a Harrisburg, Pennsylvania, water treatment plant in early October. An employee's laptop was compromised via the Internet and used as an entry point by hackers to access administrative systems and installed viruses and spyware.
The U.S. Federal Bureau of Investigation is investigating the incident and believes the attackers were working outside the U.S. As of this writing, no arrests have been made. Initial reports indicate that the hackers were not directly targeting the treatment plant, but instead used the compromised system to generate e-mail spam. Regardless, the intrusion could have interfered with the plant's operations.
I’m not totally surprised by this event, but I’m concerned that an organization managing a part of our nation’s critical infrastructure doesn’t appear to be following standard IT security procedures. I don’t know the specifics of the treatment plant’s security measures, but I have to wonder how effective they are. Why was the employee’s laptop compromised? Was the laptop not running antivirus or antispyware software? Were the virus or spyware definition files not properly updated? Were the operating system, Web browser, and other applications lacking current patches? Lastly, why was the laptop allowed to compromise the plant’s administrative systems?
While a no security measure can stop a determined attacker with enough skill, time, and the right resources, properly implemented security practices and policies could have prevented this attack. Industries and organizations that manage far less critical systems do so every day.