Need more proof that SCADA systems are seriously vulnerable? Here's the story of how hackers messed with railroad signals for a couple days last month, after breaking into a Northwest rail company's computer systems.
Hackers, possibly from abroad, executed an attack on a Northwest rail company's computers that disrupted railway signals for two days in December, according to a government memo recapping outreach with the transportation sector during the emergency.
On Dec. 1, train service on the unnamed railroad "was slowed for a short while" and rail schedules were delayed about 15 minutes after the interference, stated a Transportation Security Administration summary of a Dec. 20 meeting about the episode obtained by Nextgov. The following day, shortly before rush hour, a "second event occurred" that did not affect schedules, TSA officials added. The agency is responsible for protecting all U.S. transportation systems, not just airports.
"Amtrak and the freight rails needed to have context regarding their information technical centers," the memo stated. "Cyberattacks were not a major concern to most rail operators" at the time, adding, "the conclusion that rail was affect [sic] by a cyberattack is very serious."
These revelations don't surprise us, because we've been covering the risk to critical infrastructure at length in recent months.
Last month CSO contributing writer George V. Hulme wrote about how security software researcher Billy Rios reported an authentication bypass flaw within the company's software that is used to manage industrial control and critical infrastructure systems. "I've been patiently waiting for a fix for the issue which affects pretty much every Siemens SIMATIC customer," Rios said in a blog post yesterday. After waiting roughly seven months for a response, or a fix, Rios was recently told, through a Reuters reporter, that Siemens was not aware of "open issues regarding authentication bypass bugs at Siemens." After that feedback, Rios decided to take what he knew about the flaws public in this blog post.
George has also written about the need to pressure SCADA developers the way software developers are pressured to write more secure code. He wrote: "The discovery of a number of what have been described as serious vulnerabilities within industrial control systems built by manufacturing giant Siemens AG -- and the subsequent nixing of a presentation about those very vulnerabilities -- has raised questions about how the nature of vulnerability disclosure should -- or shouldn't -- change when it comes to the security flaws in industrial systems."
Then there were reports that hackers had attacked and destroyed a water pump in Springfield, Illinois. Those reports may have been a bit over-hyped, but that and everything above adds up over time to paint a significant threat we have to deal with sooner rather than later.