That story out of Illinois smelled fishy from the beginning. I mean, who cycles a pump to failure as a form of "attack" ?
This is an unfortunate "conspiracy theorist" type story.
My company had remote access to many different utility sites. This has saved us and the utilities thousands of dollars by allowing remote tuning and troubleshooting instead of buying a plane ticket. We generally set up our systems so that onsite operator intervention was required for access - usually physically plugging in a cable. This type of bogus story will feed the municipal IT staff paranoia and make it impossible to get this kind of access in the future, regardless of safeguards.
You are correct, Ken. There are lots of things on a water and wastewater site more significant as potential targets than failing a pump! To access them would generally require several things simultaneously:
- Malicious intent
- Knowledge of the plant equipment
- Knowledge of the SCADA system
- Knowledge of the passwords and other IT protections
- Knowledge of the tag base, equipment register addresses, etc.
Could it be done? Yes. It would probably have to be an inside job, though.