Hints that Simple Password May Link to Water Treatment Plant Breakin

Recent incidents hitting U.S. infrastructure, especially water treatment plants, may indicate that the plants are more vulnerable to cyber attacks than previous thought.

Siemens said November 22 it is working with the DHS to investigate a cyber intrusion into a water treatment plant in South Houston, Texas, but could not confirm a default, three-digit password, hard coded into an application used to control the supervisory control and data acquisition SCADA software played a role. The hacker, who goes by the handle pr0f, described using an easy to crack three character password that provided access to Siemens Simatic HMI software. That description matches that of the default password assigned to new user accounts with Sm@rtService and Sm@rtClient, two applications used to remotely access Simatic HMI WinCC installations, according to Siemens documentation reviewed by Threatpost. In a statement November 22, Siemens said it is aware of the breach in South Houston in which control graphics screen shots were taken from the system and posted on the Internet. The company said it did not know of any malicious actions associated with the breach, but that it is in close contact with the U.S. Industrial Control Systems Cyber Emergency Response Team to support ongoing investigations about the incident, Siemens said. A Siemens spokesman could not confirm the hack took advantage of a default password used by the application, or one configured by officials in South Houston. However, he acknowledged that older versions of the WinCC application use three-character default passwords.

In a somewhat related incident, a suspected hacker living in Russia destroyed a pump at a water treatment plant in Springfield, Illinois, in a suspected cyber attack. The incident, which took place on November 8, was revealed by computer security expert Joe Weiss, who referred on his blog to the official record of the attack. Citing the Illinois Statewide Terrorism and Intelligence Center's report, he wrote that the hacker stole user names and passwords from a U.S. company that writes software and used them to access the control system of a public water treatment plant. They then powered the system on and off repeatedly, causing a water pump to burn out.