Hackers are known for attacking the computers of banks and government agencies. Now they have a new favorite target: the U.S. water system.
In an unsettling new report on cyber attacks against the nation’s critical infrastructure, the Department of Homeland Security said that water plants were targeted 81 times in 2011, compared with only two incidents in 2010.
Last year’s attacks accounted for about 40 percent of the online assaults against U.S. control systems, which are computers that run industrial facilities. There were 198 attacks on control systems in 2011, a nearly fivefold increase over 2010 when the number was 41, according to the agency’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
The overall numbers highlight the increased sophistication of cyber attackers and the higher stakes in targeting infrastructure. Doomsday scenarios abound for critical infrastructure assaults, from destroying oil and gas pipelines, blacking out power grids, or contaminating water supplies.
The effectiveness of the Stuxnet computer worm, which damaged nearly 1,000 centrifuges in an Iranian nuclear plant and was jointly developed by the U.S. and Israel, according to The New York Times, shows the destructive power of computer attacks that can inflict physical damage, an area of growing interest for governments.
While most computer attacks are still large in scale and involve financial fraud, such as the theft of online banking passwords and credit card numbers, some attackers are exploring smaller, more harmful assaults on physical infrastructure.
The main reason water systems had more attacks in 2011, according to ICS-CERT, is one unidentified technology vendor was selling a remote-access program that insecurely authenticated users. The fact that the program connected to the Internet and could be found through highly specialized searches allowed hackers to easily discover it inside multiple facilities, said the report, which was released last week.
Water-infrastructure operators were more targeted than energy companies (31 incidents in 2011), nuclear facilities (10) and chemical providers (9). Other targets include government facilities (11) and even dams, national monuments and transportation systems, according to ICS-CERT.
Many of the incidents investigated by the agency involve successful infections, some of them yielding odd results.
For instance, an unidentified facility had its control-systems plans posted on the Internet earlier this year. Intruders had not only stolen the plans, but also made adjustments to its energy management system, leading to “unusually warm” temperatures in the facility, according to ICS-CERT. The organization unplugged its network from the Internet upon discovering the breach.
It was unclear from the report whether turning up the heat and stealing the control system’s schematics was the ultimate goal of the attack, or if the attackers had more nefarious plans in mind.