The Department of Homeland Security (DHS) is warning that hackers from the loose online protest collective called Anonymous have threatened attacks against the computer systems that run factories, power stations, chemical plants, and water and sewage facilities.
“While Anonymous recently expressed intent to target [industrial control software], they have not demonstrated a capability to inflict damage to these systems,” reads a leaked bulletin from from the department’s National Cybersecurity and Communications Integration Center.
DHS did not immediately respond to a request for comment.
Industrial control software (ICS) systems, also known as Supervisory Control And Data Acquisition (SCADA) systems, are considered among the most dangerous targets for hackers because successful attacks could damage or destroy the industrial equipment they control — blowing up power generators, releasing clouds of dangerous chemicals or polluting water supplies.
The bulletin, which is unclassified but restricted “For Official Use Only,” notes that hackers from Anonymous have posted computer code and other material that show an interest in ICS computer programs, and some ability to get access to ICS systems.
It also warns that the group’s hackers “could be able to develop capabilities to gain access and trespass on [ICS] networks very quickly,” although they have not yet carried out any attacks.
The bulletin says oil and gas companies might be at particular risk because of what it calls a “green energy” agenda on the part of Anonymous, highlighting the campaign the group has supported against the trans-continental Keystone XL oil pipeline and the Alberta Tar Sands project in Canada.
“This targeting could likely extend beyond Anonymous to the broader [hacker activist] community, resulting in larger-scope actions against energy companies,” warns the bulletin, issued last month and posted Monday by the website Public Intelligence.
The bulletin notes that tools used by both “white hat” and “black hat” hackers to search for holes in computer security are increasingly able to look at ICS equipment.
Such tools “can be directly used with novice level skills in hacking and little to no background in control systems,” the bulletin states.
“In addition, there are control systems that are currently accessible directly from the internet and easy to locate through internet search engine tools and applications. These systems could be easily located and accessed with minimal skills in order to trespass, carry out nefarious activities, or conduct reconnaissance activities to be used in future operations,” the bulletin warns.
The bulletin urges “owners and operators of critical infrastructure control systems … to engage in addressing the security needs of their [ICS] assets.”