Water supply system reportedly hacked, with physical damage

Bellovin comments on Krebs blog post about CNN’s report on water supply system breach.

According to¬†press reports, a water utility’s SCADA network was hacked. The attacker turned a pump on and off too much, resulting in physical damage to the pump. This is an extremmely significant incident, for three reasons:

 

  • The attack actually happened.
  • Ordinary, off-the-shelf hacking tools were used, rather than something custom like Stuxnet
  • Physical damage resulted
This is the scenario that security people and the Dept of Homeland Security have been predicting for years. Sophisticated methods with 0-day vulnerabilities were not needed. When the FBI investigates, will the Curran-Gardner Public Water District (near Springfield, IL) be called out for lax security practices as was Nasdaq?