First real-world SCADA attack in US

Steven Bellovin smb at cs.columbia.edu
Tue Nov 22 20:07:08 CST 2011


On Nov 22, 2011, at 8:08 58PM, Steven Bellovin wrote:

> 
> On Nov 22, 2011, at 7:51 59PM, Valdis.Kletnieks at vt.edu wrote:
> 
>> On Tue, 22 Nov 2011 13:32:23 -1000, Michael Painter said:
>> 
>>>> http://jeffreycarr.blogspot.com/2011/11/latest-fbi-statement-on-alleged.html
>> 
>>> And "In addition, DHS and FBI have concluded that there was no malicious traffic from Russia or any foreign entities, as 
>>> previously reported."
>> 
>> It's interesting to read the rest of the text while doing some deconstruction:
>> 
>> "There is no evidence to support claims made in the initial Fusion Center
>> report ... that any credentials were stolen, or that the vendor was involved
>> in any malicious activity that led to a pump failure at the water plant."
>> 
>> Notice that they're carefully framing it as "no evidence that credentials were
>> stolen"  - while carefully tap-dancing around the fact that you don't need to
>> steal credentials in order to totally pwn a box via an SQL injection or a PHP
>> security issue, or to log into a box that's still got the vendor-default
>> userid/passwords on them.  You don't need to steal the admin password
>> if Google tells you the default login is "admin/admin" ;)
>> 
>> "No evidence that the vendor was involved" - *HAH*.  When is the vendor *EVER*
>> involved?  The RSA-related hacks of RSA's customers are conspicuous by their
>> uniqueness.
>> 
>> And I've probably missed a few weasel words in there...
> 
> They do state categorically that "After detailed analysis, DHS and the
> FBI have found no evidence of a cyber intrusion into the SCADA system of
> the Curran-Gardner Public Water District in Springfield, Illinois."
> 
> I'm waiting to see Joe Weiss's response.


See http://www.wired.com/threatlevel/2011/11/scada-hack-report-wrong/

		--Steve Bellovin, https://www.cs.columbia.edu/~smb








More information about the NANOG mailing list