Alms for the cyber poor: municipal water industry

The other day I was investigating a presentation by hackers of foreign origin. Their slide deck, which included references to finding Internet-connected SCADA, presented a screen shot of an HMI.

Old Boston City Hall

Close examination showed it belonged to a water treatment facility in the USA. I was concerned that it could mean attackers had gained access the the HMI over the Internet.

I looked up contact info for the water department at the municipality and shot off an email. I didn’t expect to get any response, as previous attempts with other organizations in similar situations had proved fruitless.

I was surprised when I got a call from the municipality’s IT director. Woot! Someone cared!

Most munis, and water in particular, are under-funded and under-staffed. Security is about bottom of the list. Simultaneously confirming, and dismissing my stereotype, the director told me that her very position had previously been a “parking” spot for policemen who needed something to do (AKA couldn’t be fired).

She thought that it might very well be a breach, and promised to look into it. Later that day, I got another call, this time from a plant engineer, who reported that the system integrator had posted numerous HMI screenshots of their plant to the public Internet — including the one in question.

He believed this to possibly be a breach of the NDA under which the work was done.

In some ways it was a relief. In others it was disconcerting.

Lessons learned:

  • There are munis that care
  • There are water people who care
  • Watch out for the integrators
  • Hackers of foreign origin are looking