Another U.S. SCADA system compromised thanks to lousy security

After the news about a water utility company in Springfield, Illinois suffering a hack attack that ended in the destruction of a water pump broke on Friday, the U.S. Department of Homeland Security declined to confirm whether there was any truth to the claim and said that they are still investigating the matter.

“At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety,” it commented in a press release.

The statement infuriated a hacker that goes by the handle “pr0f”. “I dislike, immensely, how the DHS tend to downplay how absolutely f****d the state of national infrastructure is,” he wrote in a Pastebin post. “I’ve also seen various people doubt the possibility an attack like this could be done.”

So, he made sure to prove that other Supervisory Control and Data Acquisition (SCADA) systems are equally insecure by posting a number of images that appear to be schematics of water plants and lift stations in South Houston.

He claims that he did not do any damage to the machinery. “I don’t really like mindless vandalism. It’s stupid and silly,” he wrote. “On the other hand, so is connecting interfaces to your SCADA machinery to the Internet. I wouldn’t even call this a hack, either, just to say. This required almost no skill and could be reproduced by a two year old with a basic knowledge of Simatic.”

According to Threatpost, he shared that the human machine interface software used to manage water and sewage infrastructure was accessible from the Internet and had laughable security in place: access to it was protected by a three-character-long password.

The revealed screenshots and the hacker’s claims have still not been verified either by the South Houston utility company or by law enforcement agencies.