A descriptive list of all documented (read: publicly disclosed) cyber incidents affecting critical infrastructure facilities to date appears in a new draft revision of NIST's Guide to Industrial Control Systems (ICS) Security (Special Publication 800-82). It's a good read, and I've cut 'n' pasted the list from the report here below. With only 14 incidents included, the list isn't long but the business and public trust impact of each event is nontrivial. It's the best reminder I've seen of why we need to pay attention to CIP.
Incidents are divided into four categories: adversarial, accidental, structural, and environmental.
(Interestingly, the entry on Stuxnet is free of any detail. That might be because it's too politically sensitive for a US Federal government publication: it's well known that Stuxnet targeted nuclear facilities in Iran and is attributed to US and Israeli government action. It's considered by many, including me, to be the seminal critical infrastructure cyber event to date. If you're not familiar with Stuxnet, there's plenty of good media coverage about it -- for example here, and here).
Without further ado, the list:
Worcester Air Traffic Communications
In March 1997, a teenager in Worcester, Massachusetts disabled part of the public switched telephone network using a dial-up modem connected to the system. This knocked out phone service at the control tower, airport security, the airport fire department, the weather service, and carriers that use the airport. Also, the tower’s main radio transmitter and another transmitter that activates runway lights were shut down, as well as a printer that controllers use to monitor flight progress. The attack also knocked out phone service to 600 homes and businesses in the nearby town of Rutland.
Maroochy Shire Sewage Spill
In the Spring of 2000, a former employee of an Australian organization that develops manufacturing software applied for a job with the local government, but was rejected. Over a two-month period, the disgruntled rejected employee reportedly used a radio transmitter on as many as 46 occasions to remotely break into the controls of a sewage treatment system. He altered electronic data for particular sewerage pumping stations and caused malfunctions in their operations, ultimately releasing about 264,000 gallons of raw sewage into nearby rivers and parks.
In August 2003, the Nuclear Regulatory Commission confirmed that in January 2003, the Microsoft SQL Server worm known as Slammer infected a private computer network at the idled Davis-Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly five hours. In addition, the plant’s process computer failed, and it took about six hours for it to become available again. Slammer reportedly also affected communications on the control networks of at least five other utilities by propagating so quickly that control system traffic was blocked.
In August 2005, a round of Internet worm infections knocked 13 of DaimlerChrysler’s U.S. automobile manufacturing plants offline for almost an hour, stranding workers as infected Microsoft Windows systems were patched. Plants in Illinois, Indiana, Wisconsin, Ohio, Delaware, and Michigan were knocked offline. While the worm affected primarily Windows 2000 systems, it also affected some early versions of Windows XP. Symptoms include the repeated shutdown and rebooting of a computer. Zotob and its variations caused computer outages at heavy-equipment maker Caterpillar Inc., aircraft-maker Boeing, and several large US news organizations.
Stuxnet is a Microsoft Windows computer worm discovered in July 2010 that specifically targets industrial software and equipment. The worm initially spreads indiscriminately, but includes a highly specialized malware payload that is designed to target only specific SCADA systems that are configured to control and monitor specific industrial processes.
Brute Force Attacks on Internet-Facing Control Systems
On February 22, 2013 ICS-CERT received a report from a gas compressor station owner about an increase in brute force attempts to access their process control network. The forensic evidence contained 10 separate IPs and additional calls of a similar nature from additional natural gas pipeline asset owners, which yielded 39 additional IPs of concern. Log analysis showed a date range from January 16, 2013 but there have been no reports since March 8, 2013.
US Power Utility Compromised
On October 2012 a US power utility’s ICS was infected with the Mariposa virus when a 3rd-party technician used an infected USB drive to upload software to the systems. The virus resulted in downtime for the systems and delayed plant restart by approximately 3 weeks.
Intrusion in Energy Industry Vendor Systems
On September 26, 2012 a company whose software and services are used to remotely administer and monitor large sections of the energy industry began warning customers that it is investigating a sophisticated hacker attack spanning its operations in the United States, Canada, and Spain.
Saudi Aramco, which is the world’s 8th largest oil refiner, experienced a malware attack that targeted their refineries and overwrote the attacked system’s Master Boot Records (MBR), partition tables and other random data files. This caused the systems to become unusable.
State Crime Lab Building Control System Accessed
In January 2012, the building control system of a state’s government crime lab was remotely accessed by a hacker. Evidence of the attack was posted as a YouTube video by a user with the name @antisec.
CSX Train Signaling System
In August 2003, the Sobig computer virus was blamed for shutting down train signaling systems throughout the east coast of the US. The virus infected the computer system at CSX Corp’s Jacksonville, Florida headquarters, shutting down signaling, dispatching, and other systems. According to Amtrak spokesman Dan Stessel, ten Amtrak trains were affected in the morning. Trains between Pittsburgh and Florence, South Carolina were halted because of dark signals, and one regional Amtrak train from Richmond, Virginia to Washington and New York was delayed for more than two hours. Long-distance trains were also delayed between four and six hours.
Northeast Power Blackout
In August 2003, failure of the alarm processor in First Energy’s SCADA system prevented control room operators from having adequate situational awareness of critical operational changes to the electrical grid. Additionally, effective reliability oversight was prevented when the state estimator at the Midwest Independent System Operator failed due to incomplete information on topology changes, preventing contingency analysis. Several key 345 kV transmission lines in Northern Ohio trip due to contact with trees. This eventually initiates cascading overloads of additional 345 kV and 138 kV lines, leading to an uncontrolled cascading failure of the grid. A total of 61,800 MW load was lost as 508 generating units at 265 power plants tripped.
Taum Sauk Water Storage Dam Failure
In December 2005, the Taum Sauk Water Storage Dam suffered a catastrophic failure releasing a billion gallons of water. The failure of the reservoir occurred as the reservoir was being filled to capacity or may have possibly been overtopped. The current working theory is that the reservoir's berm was overtopped when the routine nightly pump-back operation failed to cease when the reservoir was filled. According to the utility, the gauges at the dam read differently than the gauges at the Osage plant at the Lake of the Ozarks, which monitors and operates the Taum Sauk plant remotely. The stations are linked together using a network of microwave towers, and there are no operators on-site at Taum Sauk.
Bellingham, Washington Gasoline Pipeline Failure
In June 1999, 900,000 liters (237,000 gallons) of gasoline leaked from a 16” pipeline and ignited 1.5 hours later causing 3 deaths, 8 injuries, and extensive property damage. The pipeline failure was exacerbated by control systems not able to perform control and monitoring functions. “Immediately prior to and during the incident, the SCADA system exhibited poor performance that inhibited the pipeline controllers from seeing and reacting to the development of an abnormal pipeline operation.” A key recommendation from the NTSB report issued October 2002 was to utilize an off-line development and testing system for implementing and testing changes to the SCADA database.
The whole NIST document is worth a read if you're interested in cyber security of critical infrastructure. It's one of the definitive write-ups on this topic. Link here is to Revision 1, the latest official version. But the new draft, Revision 2 which is where I found the above incident list, is more interesting and relevant because it's updated to cover the current threat landscape. NIST was accepting public comments on Revision 2 until 18th July 2014, so I assume the final version is in the works and will be out soon. I'll plan to post the link here once it's published.