This is me, looking shocked.
Hackers destroyed a pump used by a US water utility after gaining unauthorized access to the industrial control system it used to operate its machinery, a computer security expert said.
Joe Weiss, a managing partner for Applied Control Solutions, said the breach was most likely performed after the attackers hacked into the maker of the supervisory control and data acquisition software used by the utility and stole user names and passwords belonging to the manufacturer's customers. The unknown attackers used IP addresses that originated in Russia.
These control systems absolutely, positively should not be connected to the Internet. Yes, that makes them hard to access remotely. That's the point.“Over a period of two to three months, minor glitches had been observed in remote access to the water district's SCADA system,” Weiss said during an interview, in which he read a verbatim portion of the document to The Register. He said that the attackers were able to burn out one of the utility's pumps by causing either the pump or the SCADA system that controlled it to turn on and off “repeatedly.”
Yes, it's a drag having to get up at Oh Dark Thirty and drive 50 miles to the pump house. But hooking the control system to Al Gore's Intarwebz means you're placing a bet that the Bad Guys will find someone else. Your entire security strategy is I feel lucky.
Damn punks, always messing with the SCADA.
* Supervisory Control And Data Acquisition computers, which run factories, refineries, the power grid, and (in this case) the water system. Security isn't an after thought, it's not thought of at all.