We have another control system incident in the news that will surely fill up slidedecks for the next decade.
News became public yesterday of an arrest of security guard involved in a compromise of the HVAC system, and likely the rest of the hospital network, at the Carrel Clinic in Dallas, Texas. Thankfully nothing was done to disturb the operation of the HVAC system before the arrest could be made, but it seems plans were in place for it on or around July 4th. Anyone who has been to Texas in July knows that this could have easily been life threatening for those already at the hospital.
From the information availible it looks like this is going to be a case of no one watching the watchers combined with poor separation of corporate and control systems, assuming that the computer compromised in the video wasn’t controlling the HVAC. From my experience hospitals usually have a pretty good handle on systems that directly affect patients, we’re not seeing machines controlling a morphine drip connected to open wireless (though some of the information systems with patient data make me worry). Perhaps this will be a good example for other healthcare groups on how to better protect not only their data and systems that directly affect patients, but also their systems that have an indirect affect on protecting and maintaining life.
It looks like we all were a little lucky in this case due to the perpetrator doing a bit too much bragging and leaving quite a bit of information on the web for some one to dig up. It seems that the lionshare of the credit for that digging goes to Wesley McGrew, a research assistant in the Critical Infrastructure Protection Center at Mississippi State, who tracked down the information neccessary for the arrest to be made. Details,including the criminal complaint, can be found on his blog and it looks like there is loads more information about the investigation and the trail of bits he that the attacker left behind.