The other day I was investigating a presentation by hackers of foreign origin. Their slide deck, which included references to finding Internet-connected SCADA, presented a screen shot of an HMI.
Close examination showed it belonged to a water treatment facility in the USA. I was concerned that it could mean attackers had gained access the the HMI over the Internet.
I looked up contact info for the water department at the municipality and shot off an email. I didn’t expect to get any response, as previous attempts with other organizations in similar situations had proved fruitless.
I was surprised when I got a call from the municipality’s IT director. Woot! Someone cared!
Most munis, and water in particular, are under-funded and under-staffed. Security is about bottom of the list. Simultaneously confirming, and dismissing my stereotype, the director told me that her very position had previously been a “parking” spot for policemen who needed something to do (AKA couldn’t be fired).
She thought that it might very well be a breach, and promised to look into it. Later that day, I got another call, this time from a plant engineer, who reported that the system integrator had posted numerous HMI screenshots of their plant to the public Internet — including the one in question.
He believed this to possibly be a breach of the NDA under which the work was done.
In some ways it was a relief. In others it was disconcerting.
Lessons learned:
- There are munis that care
- There are water people who care
- Watch out for the integrators
- Hackers of foreign origin are looking