The remote breach of a Scada (supervisory control and data acquisition) controller unit is thought to have caused the partial shutdown at a US water processing plant in Illinois, prompting experts to once again question the security of vital infrastructure.
Authorities say an attacker was able to obtain login credentials and access a Scada controller that managed a water pump. The credentials are believed to have been obtained through a breach at a firm that develops controller software for the device.
The attacker then used the compromised Scada to turn the pump off and on multiple times, eventually causing the unit to fail on 8 November.
Andrew Brandt, director of research for Solera Networks Research Labs, told V3 that in many cases security on Scada devices is a "Tootsie Pop" [lollipop] situation in which an attacker who penetrates the external layers of security will find a "soft centre" that can make controlling the device easy.
"For the most part they are not necessarily designed to be connected to the internet, but engineers can put in workarounds for remote access," Brandt explained.
"Anytime you do this you put in a pathway where someone can get in."
Researchers have traced the system used in the attack to Russia. Brandt cautioned that the attackers could simply be using a hacked system as a proxy, and may not even be the same party responsible for the breach of the software developer.
Attackers have in the past used compromised systems to sabotage industrial equipment. The Stuxnet malware was believed to have been developed to access and sabotage nuclear centrifuges in Iran, while the Duqu malware is similarly believed to target industrial hardware.
While no serious damage resulted from the attack, the event is once again bringing close scrutiny to the security of critical infrastructure and Scada systems in particular.
For Brandt, the real issue goes beyond Scada devices and extends to all internet-connected appliances.
"Attacks are getting targeted at these edge-case machines where they want to steal something specific," he said, "and it is that specificity which to me gets scary."
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago