A hacker says he penetrated the network of a South Houston, Texas, water-treatment plant to expose the inherent vulnerabilities in critical industrial control facilities and prove how easily they can be compromised.
Going by the online name "pr0f," the hacker wrote on Pastebin Nov. 18 that he tapped into the software used to manage several of South Houston's water plants. He included links to pictures showing the privileged access he was able to gain to Supervisory Acquisition and Data Control (SCADA) software, used to automate operations on many industrial-control facilities; pr0f did not tamper with the software or any of the machines controlled by it, he said.
"No damage was done to any of the machinery; I don't like mindless vandalism," he wrote. "It's stupid and silly. On the other hand, so is connecting interfaces to your SCADA machinery to the Internet."
He added, "I wouldn't even call this a hack, either, just to say. This required almost no skill and could be reproduced by a two year old with a basic knowledge of [Siemens-made SCADA software] Simatic."
The City of South Houston did not respond to a call for comment.
The hacker admitted he launched the proof-of-concept attack after reading about the recent alleged hack on a Springfield Illinois water plant and, more importantly, what he believes was the Department of Homeland Security's poor response to the serious incident.
The original response, from DHS spokesperson Peter Boogard, read, "DHS and the FBI are gathering facts surrounding the report of a water pump in Springfield, Ill. At this time, there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety."
"This was stupid," pr0f wrote on Pastebin. "You know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely F***ed the state of national infrastructure is."
The DHS did not respond to a call for comment.
On his Twitter page, pr0f again called out the inherent flaws in SCADA software and the professionals responsible for installing and running SCADA-operated machines.
"The culture among the people who make and install them … just wow. So insecure a child could hack them," he wrote.
In another post Nov. 20, pr0f wrote, "I know for a fact I'm not the only person exploring systems like those online."
This apparently is not pr0f's first proof-of-concept exploit. CNET reported that on Nov. 5, pr0f posted on Twitter that he infiltrated a network used to automate a wastewater system in Poland; the day before, he posted what he believed to be water metering control systems files from Spain or Portugal.