Hacker says he broke into Texas water plant, others

Annoyed with the downplaying of the risk to critical infrastructure systems, a hacker targets a water plant in South Houston following news of an Illinois water plant intrusion.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read
The Twitter profile picture of the hacker who says he compromised a Texas water plant and others to show how easy it is.
The Twitter profile picture of the hacker who says he compromised a Texas water plant and others to show how easy it is. pr0f

A twentysomething hacker said today that he hacked into a South Houston water utility to show that it can easily be done, after U.S. officials downplayed the risks from a report yesterday of an intrusion at an Illinois water plant.

The hacker, using the alias "pr0f," said he has hacked other SCADA (supervisory control and data acquisition) systems too.

He tweeted on November 5 links to public posts with what he identified as PLC configurations for a Polish waste-water treatment plant; SCADA data from an HMI (human-machine interface) box possibly for a generator used for research purposes at Southern Methodist University; and what he believes are water metering control system files from Spain or Portugal.

"Basically, people have no idea what's going on in terms of industrial control, groups like ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) are too slow/don't have enough power to react to situations," he wrote in an e-mail to CNET. "There's a lot of rubbish information out there that's being treated seriously, etc. Lot of crap. So I'm putting information out there to show people what kind of systems are vulnerable to basic attacks."

He said his actions were prompted by the U.S. government's response to a report from an Illinois Statewide Terrorism and Intelligence Center that said intruders compromised a water utility in the state last week, burning out a pump. Industry expert Joe Weiss blogged about the report and provided more information to CNET yesterday. The Department of Homeland Security initially identified the location as Springfield, but a local official today reportedly confirmed that it happened in nearby Curran-Gardner Townships Public Water District, but the official could not say whether it was a hacking incident.

A DHS representative responded to the report with this comment: "At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety."

That government response irked pr0f.

"I dislike, immensely, how the DHS tend to downplay how absolutely F***ED the state of national infrastructure is," he wrote in a Pastebin post. "Ive also seen various people doubt the possibility that an attack like this could be done."

Then he provided screenshots of what look like diagrams of water and waste-water treatment facilities in South Houston, Texas.

This is one of the screenshots provided by pr0f as proof of his intrusion into a South Houston water utility.
This is one of the screenshots provided by pr0f as proof of his intrusion into a South Houston water utility. pr0f

Fred Gonzalez, superintendent of the South Houston water plant, told CNET, "We're still checking into the whole problem and seeing what's going on."

A DHS representative said he would look into the purported Texas incident.

"I'm not going to expose the details of the box," pr0f wrote in his Pastebin post. "No damage was done to any of the machines; I don't really like mindless vandalism. It's stupid and silly.

"On the other hand, so is connecting interfaces to your SCADA machinery to the Internet," he added. "I wouldn't even call this a hack, either, just to say. This required almost no skill and could be reproduced by a two-year-old with a basic knowledge of Simatic," which is automation software from Siemens that's used to control equipment in industrial production.

Asked how he gets into systems, pr0f said: "As for how I did it, it's usually a combination of poor configuration of services, bad password choice, and no restrictions on who can access the interfaces."

He said he isn't a security professional and doesn't work in the SCADA sector. "I'm just an interested party who has read a few books about ICS and embedded systems," he said.

Though he uses an e-mail address from a service provider in Romania, he said he is not in that country, but declined to say where he's based.

"I assumed companies located there would be less likely to cooperate with the U.S. and turn over any logs of e-mails," he said. "That said, I believe the servers for these are located in Germany, which does dent the protection somewhat."

Pr0f's Twitter profile picture shows a "V for Vendetta," or Guy Fawkes, mask, which is used by people who participate in online activism and hacking as part of the Anonymous collective.