South Houston Water Treatment Plant Hack

Event Year: 2011 Reliability: Likely But Unconfirmed
Country: United States
Industry Type: Water/Waste Water
Description:

A hacker claims to have penetrated the network of a South Houston water treatment plant.  His intent was to expose vulnerabilities in critical industrial controls and show how easily they can be compromised.  Using the name “prof”, the hacker posted on Pastebin November 18, 2011 that he gained access the software used to manage several of South Houston’s water plants.  Included in his post were links to pictures showing the privileged access he gained to the SCADA software. He said that he did not tamper with the software or any of the machines controlled by it. The hacker described using an easy-to-crack three character password that provided access to Siemens Simantic HMI software.

The City of South Houston did not issue a response.  Siemens is working with the U. S. Department of Homeland Security to investigate the incident.  “A Siemens spokesman could not confirm that the hack in South Houston, Texas, took advantage of a default password used by the application, or one configured by officials in South Houston.  However, he acknowledged that older versions of the WinCC application do use three character default passwords.”

Impact:

No actions were taken after gaining access.  However, the hacker believes his level of access would have allowed him to “play with a few settings; turn off components, and lock people out of the remote access service for a time”.