According to media sources, in early October 2006, the computer systems of a water treatment plant in Harrisburg, Pennsylvania were attacked and compromised by hackers based outside the United States (source). The water treatment plant?s computer systems were infected via an employee?s laptop that was exploited and infected via the Internet (source).
Criminals or Terrorists?
Fortunately, there is no evidence that the hackers behind the attack were targeting the water treatment plant specifically. Rather, it appears that the hackers were infecting vulnerable computers randomly for inclusion in a botnet. According to Special Agent Jerri Williams of the FBI?s Philadelphia office, ?we did not believe that they were doing it to compromise the actual water system, but just to use the computer as a resource for distributing e-mails or whatever electronic information they had planned.? Cyber criminals are known to use botnets to send spam, enable phishing attacks, carry out denial of service attacks, engage in click fraud, and other assorted cyber criminal activity. As a result, the creation and maintenance of botnets is a profitable enterprise.
While the intrusion into the Harrisburg water treatment plant appears to be attributable to cyber criminals and not terrorists intent on attacking water supplies and wastewater treatment plants, the apparent ease of the intrusion into such a sensitive target is disconcerting. It appears that the Harrisburg plant was either attacked with a zero-day exploit or the plant did not have robust security procedures including a patch management plan in place. In either case, it is disturbing that a vulnerable machine was allowed to connect to water treatment plant network and spread its infection across the plant?s network.
Previous Attacks
In addition to this attack, there have been at least three other cyber attacks against components of the nation?s water supply infrastructure. According to the WaterISAC, an industry information sharing and analysis center with members from among more than 1,000 drinking water and wastewater systems in the US, one of the previous attacks was a denial of service on the computer network of a water supply (source). In another incident, attackers hacked a SCADA system on a California irrigation district wastewater treatment plant (source). Finally, in a third attack on an unidentified facility, hackers left a note in an apparent defacement stating ?I enter in your server like you in Iraq (source).?
Enter al-Qaeda
Assuming that the attack against the Harrisburg plant was not carried out with a zero-day exploit, it appears that even vital components of the nation?s critical infrastructure are vulnerable to cyber attacks. These apparent vulnerabilities are disturbing because al-Qaeda has a demonstrated intent on attacking the US water supply.
Documents discovered in Afghanistan revealed, among other things, al-Qaeda?s interest in disrupting the United States? water supply (source). Moreover, in January 2002, the FBI issued a bulletin stating it believed that al-Qaeda may try to gain remote control of US water supplies and wastewater treatment plants (source). Thankfully, these threats went unrealized, and neither al-Qaeda nor other emergent Jihadist cells have attacked US water supplies, wastewater treatment plants, or the water delivery infrastructure including pumping stations and pipes. However, given the apparent vulnerabilities of these systems, it may only be a matter of time before a group carries out a successful attack.