back to article Uncle Sam probes cyberattack on Pennsylvania water system by suspected Iranian crew

CISA is investigating a cyberattack against a Pennsylvania water authority by suspected Iranian miscreants. The intrusion forced operators to switch a pumping station to manual control. The US Homeland Security agency also warned it is expecting more attempts to subvert programmable logic controllers in America's critical …

  1. JavaJester
    FAIL

    Shut Up And Make It More Secure

    Perhaps if cybersecurity rules had been implemented instead of fought against this would have been avoided.

    1. t245t Silver badge
      Boffin

      Re: Shut Up And Make It More Secure

      > Perhaps if cybersecurity rules had been implemented instead of fought against this would have been avoided.

      Have they considered not connecting their cyberwater directly to the Internet?

      --

      Afghanistani, Chinese, Iranian, North Korean, Russian miscreants .. etc ...

      1. ecofeco Silver badge

        Re: Shut Up And Make It More Secure

        Ah I see someone else has spotted the obvious.

        WTH were they thinking?!

  2. Mayday
    Thumb Down

    1111

    Change to 3521 or some other four digit pin which can be brute-forced in approximately 0.000000001 seconds.

    Edit:

    Just found the manual.

    https://www.i4automation.co.uk/unitronicspdf/VisiLogic%20-%20Getting_Started.pdf

    If you change the password to something else, then on power-up the it reverts to the default of 1111!!!!!!!!! What a piece of shit.

  3. ecofeco Silver badge

    WTH?

    Why are critical systems even connected to the Internet?

    Goddamn but we live in Idiocracy.

    1. Headley_Grange Silver badge

      Re: WTH?

      Cos it's cheaper. Providing and maintaining redundant comms to dozens of sites would be expensive. With the web you can do it cheaply, but you can also do it securely. Even if you've been left with crap PLCs they can go behind a VPN, firewall and whatever other protection there is out there that I'm not familiar with. Christ, the NAS on my home network seems to have more protection than this stuff and I only really use it to store DVDs!

  4. hammarbtyp

    Pay peanuts...

    I am a bit surprised. The US has very stringent Cyber security standards for critical infrastructure via the NIST framework.

    However this sort of things shows the issues of implementation especially with the high fragmentation of the market with independent water companies per state

    It is a stretch to expect each small company to have the correct level of expertise to maintain cyber standards. Although I work in the PLC industry, I had never heard of the model indicated

    My guess was the job was done at lowest cost fixed price and corners were cut. In cyber security you definitely get what you pay for

  5. Manglemender

    They Started it!

    The Stuxnet worm of 2010 (developed in Israel) was a wakeup call to those us who work in Industrial automation in that even an "air gapped" system can be attacked. Prior to that no-one really considdered industrial automation systems to be at risk - how times have changed.

    Since 2010 there has been a scramble across the industry for more secure systems and many serious flaws have been revealed along the way with many attracting CVSS score of 9+. Modern PLCs are very much more secure than they were 10 years ago but, sadly, there is an awful lot of legacy systems out there.

    Why would anyone connect any machine directly to the internet? Laziness? Naivity?

    Why would you leave such a system conencted to the internet? Money? There are plenty of secure VPN gateway solutions avaialble now. A simple Shodan search can reveal many systems conencted to the internet that really ought not to be - and that includes many VPN gateway systems with default passwords! Managers of critical infrastrucre need to wake up and sort their sh!t out.

    IEC 62443 is a suit of standards specifically for Cyber Security in Industrial Control Systems which is now becoming mainstream. Under the now imminent new Machinery Regualtions a Cyber security Risk assesment will be a necesary part of compliance.

  6. Reginald O.

    It's war, really it is...

    There's absolutely a cyber war on between the west and the new axix of evil: Russia, Iran, NK, China, et al. What I don't get is why the "west" is content to sort of monitor it and whine about but little else.

    Fight back for godsakes. At least try. Assuming the info is right that Iran attacked critical US infrastructure the USA should at the very least attack right back. I don't see any problem with shutting down their utilities, indeed shutting down their access to the internet altogether.

    Give us targets ways, information, hardware and code to fight back or at least protect ourselves. Virtually every one of the articles mentioning attacks are so sparse on detail you cannot take one measly step to protect yourself from it. Are the attacks literally coming from Iranian IP addresses, or not? If so name the numbers. Give us SOMETHING! And, don't tell me they are only going after gov facilities or whatever.

    An attack on Pennsylvania is an attack on all of us. Stand up and fight!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like