FBI says hackers hit key services in three US cities Published duration 8 March 2012

image caption Hackers could, in theory, have turned off the lights on shoppers

The infrastructure systems of three US cities have been attacked, according to the Federal Bureau of Investigation.

At a recent cybersecurity conference, Michael Welch, deputy assistant director of the FBI's cyber division, said hackers had accessed crucial water and power services.

The hackers could theoretically have dumped sewage into a lake or shut off the power to a shopping mall, he said.

Industrial control systems are becoming an increasing target for hackers.

'Ego trip'

"We just had a circumstance where we had three cities, one of them a major city within the US, where you had several hackers that had made their way into Scada systems within the city," Mr Welch told delegates at the Flemings Cyber Security conference.

"Essentially it was an ego trip for the hacker because he had control of that city's system and he could dump raw sewage into the lake, he could shut down the power plant at the mall - a wide array of things," he added.

Such systems - commonly known as Supervisory Control and Data Acquisition (Scada) - are increasingly being targeted by hackers, following reports that they rely on weak security.

It follows two alleged break-ins to city water supplies. The first, to a water supply in Springfield, Illinois, was later played down by the FBI which said it could find no evidence of cyber-intrusion.

Initially it had thought a hardware fault was caused by Russian hackers but it later emerged that this was not the case.

In another attack a hacker named pr0f claimed to have broken into a control system that kept water supplied to a town in Texas.

The hacker said the system had only been protected by a three-character password which "required almost no skill" to get around.

Mr Welch did not confirm whether this breach was one of the three he was talking about.

Default passwords

Security experts predict there will be a rise in such attacks.

"Such systems have become a target partly because of all the chatter about the lack of security. Hackers are doing it out of curiosity to see how poorly they are protected," said Graham Cluley, senior security consultant at Sophos.

He said that many relied on default passwords, and information about some of these passwords was "available for download online".

Furthermore the firms that run Scada systems, such as Siemens, often advise against changing passwords because they claim the threat from malware is not a great as the problem that will be caused if passwords are changed.

"Not changing passwords is obviously slightly crazy. Proper security needs to be in place otherwise it is laughable," said Mr Cluley.

24-hour surveillance

Industrial-scale hacking hit the headlines in 2010 with news of a worm aimed at Iran's nuclear facilities. Stuxnet was widely rumoured to have been developed by either the US or Israeli authorities and, according to experts, was configured to damage motors used in uranium-enrichment centrifuges by sending them spinning out of control.

Iran later admitted that some of its centrifuges had been sabotaged although it downplayed the significance of Stuxnet in that.

This year a Stuxnet copycat, Duqu, was discovered by security experts.

Initial analysis of the worm found that parts of Duqu are nearly identical to Stuxnet and suggested that it was written by either the same authors or those with access to the Stuxnet source code.

Unlike Stuxnet it was not designed to attack industrial systems but rather to gather intelligence for a future attack.