back to article US warns Iranian terrorist crew broke into 'multiple' US water facilities

Iran-linked cyber thugs have exploited Israeli-made programmable logic controllers (PLCs) used in "multiple" water systems and other operational technology environments at facilities across the US, according to multiple law enforcement agencies . In a take-out-the-trash-time release on Friday night security advisory, the FBI, …

  1. Paul Crawford Silver badge

    broke into US-based water facilities by using default passwords for internet-accessible PLCs

    At which point the board of the company should personally be on the hook for failing to perform any form of network security. Not that they would personally do it, but they clearly were negligent in their duty to employ competent staff, and to have any sort of checking process at all.

    This is not "victim blaming" but holding those to account who should be protecting strategic infrastructure.

    1. Woodnag

      Considering US/Israel spies sabotaged Iranian cyclotron PLCs, you'd think the follow-on plan would be to ensure that the favour couldn't be returned...

    2. Throatwarbler Mangrove Silver badge
      Thumb Up

      Not victim blaming

      For once, I agree. While the real villains are still the "hackers," failing to perform the most basic security tasks is truly negligent.

    3. Wzrd1 Silver badge

      At which point the board of the company should personally be on the hook for failing to perform any form of network security.

      What board? They are a municipal water company, which would be a board of two and an entire staff of three, counting the "board".

  2. DryBones

    That's pretty much criminal negligence, it appears.

  3. Cynical Pie

    So you're telling me password isn't a secure password?

    who would ever have guessed... ***goes and changes to 'Password1' as no one will guess that***

    1. Anonymous Coward
      Anonymous Coward

      Perhaps they should have updated to use a secure password

      1. Strahd Ivarius Silver badge

        https://neal.fun/password-game/

  4. jmch Silver badge
    Facepalm

    My first thought....

    ... on reading "Iranian terrorist crew broke into 'multiple' US water facilities"

    was Iran scuba divers breaking into Seaworld!!!

    Time for coffee!!

  5. t245t Silver badge
    Big Brother

    Don't expose PLCs to the open internet and don't use default passwords

    It took this many and that long to figure this out /s

    Cybersecurity and Infrastructure Security Agency (CISA), Environmental Protection Agency (EPA), Israel National Cyber Directorate (INCD), National Security Agency (NSA), The FBI

  6. ChrisBedford

    Uh huh.

    we have seen no access to operational systems at these water facilities, nor have we seen any impact to the provision of safe drinking water

    Also

    At this time, it appears that Cyberav3ngers is the only gang targeting Israel-made gear in US critical infrastructure facilities

    "Have seen no access" and "appears" are not the most confidence-inspiring phrases in this context.

  7. DafyddGrif

    This information is a sad example of the lackadaisical attitude that has been and still is prevalent with utility companies in the USA, UK and most if not all of Europe. Back in 2009, a colleague of mine and I met with a scientist from EPRI in San Francisco. He confirmed then that there was no meaningful cyber security protection from power generation right through to the distribution network. As far as I am aware, little if anything had changed and this weakness across the water, gas and oil, electricity and most organizations is still evident. It can't be a lack of potential applications to combat exploits. It has to be a lack of action, effort and will on behalf of the management of these companies. Bombs and other destructive devices are no longer needed to paralyze a nation. Coordinated Zero Day attacks on all of them would bring any nation to its knees without a shot being fired. When will they learn? Perhaps we will hear this well-worn phrase after an attack "lessons must be learned" - but then it may be too late.

    1. Anonymous Coward
      Anonymous Coward

      Makes sense. In California, the utility PG&E regularly start fires to burn down houses and cause billions in damage so there is not much point them defending against competition from terrorists.

  8. martinusher Silver badge

    Iranians? Terrorists?

    Oh dear, my government's at it again. It never loses a beat associating words like 'terrorist' with some country it doesn't like like 'Iran'. All its really doing by underestimating the intelligence of its population is lowering its credibility. (...assuming it could get any lower, that is)

    US foreign policy is made by career functionaries who often have a bee in their bonnet about particular countries. They drive policy and propaganda and often are so off base these days that we must look rather pathetic to the rest of the world. The trouble is that these people drag us -- the country and we, the people -- into their own personal vendettas so instead of being able to live with a country (which doesn't necessarily mean "agree with", note) we get dragged into all sorts of foreign adventures, most, if not all, turn out badly for us as a nation and really badly for the locals. (Except that 'the rest of the world' is now big enough to stand on its own two feet -- we can stomp on a small island for 60 years or so and they just have to put up with it; doing the same for someone a bit bigger like Iran is not at all effective and doing it to someone that's really big like China is just going to get our foot mangled.)

  9. Kev99 Silver badge

    Once more idiocy of using the internet, aka, the bunch of holes connected with string, for confidential, proprietary, business critical data is proven. The decision to do this is driven not by efficiency or technology but rather by the bean counters who are more concerned with hitting the quarters' numbers than protecting their businesses or customers.

    1. Wzrd1 Silver badge

      The decision to do this is driven not by efficiency or technology but rather by the bean counters who are more concerned with hitting the quarters' numbers than protecting their businesses or customers.

      Yeah, Billy-Bob and John-Boy really care about the quarters numbers, rather than taking up a handful of computer security courses. Because, it's far cheaper for their minimum wage selves to take college level courses than to just set up the water processing equipment for their town of 10k than it is to just set up the equipment and hope that nobody notices.

      The singular case outlined was from a community of that number, from a water works for said community with a part time employee base of six, two being managers.

      But, it's all about profits, because water in a land where water is plentiful is ever so prohibitively expensive or something. Why, that Pennsylvania river right outside of my window is obviously worth its weight in platinum!

  10. An_Old_Dog Silver badge
    Flame

    Paragraph Four

    ... says it all. "Default passwords" and "internet-accessible PLCs".

    Asses. Need. To. Be. Seriously. Kicked.

    1. Wzrd1 Silver badge

      Re: Paragraph Four

      Some years back, when I was supporting small to mid sized businesses, a chemical company (I joke not) had an internet presence that the owner insisted upon self-hosting.

      The admin password being LetMeIn. Nothing could convince him to use a password that was stronger, such as 'assword'...

  11. An_Old_Dog Silver badge
    Joke

    Ah. Terrorists. So That's Why ...

    ... our city's water tastes like shit.

    1. Strahd Ivarius Silver badge

      Re: Ah. Terrorists. So That's Why ...

      no, no need for terrorists, you just need stockholders...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like