Illinois utility targeted by cybersaboteurs? US pours water on the idea.
The Illinois water utility supposedly was the first critical bit of US infrastructure damaged by foreign cybersaboteurs. The DHS and FBI found no evidence it was hacked, but are now investigating another suspected attack.
An Illinois water utility suspected of being the first piece of critical infrastructure on US soil to be successfully targeted by foreign cybersaboteurs was not sabotaged at all, a Department of Homeland Security investigation found.
At the same time, DHS and the Federal Bureau of Investigation are investigating an apparently unrelated, yet concurrent cyberintrusion into a South Houston water utility's computerized control system.
In the Illinois utility鈥檚 case, a computer-controlled pumping system was reported to have been hacked 鈥 and a pump burned out 鈥 by hackers operating through a computer with an address in Russia, according to a Nov. 10th report by the Illinois Statewide Terrorism and Intelligence Center, a federal-state cooperative venture. If true, it would have been by far the more serious cyberattack.
That鈥檚 because in addition to the pump damage, passwords and user identifications granting access to other utilities were reportedly stolen from a water-utility vendor, raising the possibility that other utilities could be hacked, too, and with far more serious damage.
Some details of the Illinois report were first revealed on the blog of Joe Weiss, president of Applied Control Solutions and a control-system security expert. But the DHS investigation of the Illinois terrorism center's 鈥渞aw, unconfirmed鈥 information found nothing suspicious, federal officials say.
鈥淎fter detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the [computerized industrial control] system of the Curran-Gardner Public Water District in Springfield, Illinois,鈥 DHS spokesman Chris Ortman said in the statement e-mailed to the Monitor.
鈥淭here is no evidence to support claims made in initial reports 鈥 which were based on raw, unconfirmed data and subsequently leaked to the media 鈥 that any credentials were stolen or that the vendor was involved in any malicious activity that led to a pump failure at the water plant.鈥
Sensitivity to cyberattacks on computerized industrial control systems has soared in the past year since the discovery of Stuxnet, the聽first publicly confirmed cybersuperweapon 鈥 a digital guided missile that could emerge from cyberspace to destroy a physical target in the real world.聽Its target was Iran鈥檚 nuclear fuel facilities, and security experts predicted that copycat attacks on real-world industrial equipment could follow within a year or two.
Despite such concerns, DHS and FBI have concluded 鈥渢here was no malicious traffic from Russia or any foreign entities, as previously reported,鈥 Mr. Ortman's statement says. 鈥淎nalysis of the incident is ongoing and additional relevant information will be released as it becomes available.鈥
But the DHS findings that there was nothing at all to what had seemed to be fairly specific findings in the state report were less than reassuring to Mr. Weiss. Local media reports also quoted the utility's officials saying there had been a cyberattack.
鈥淲hy would the state terrorism center put out such a definitive report to their critical infrastructure operators in Illinois,鈥 he wonders. 鈥淭hat Illinois report never used one word to indicate it was preliminary or raw.... This whole thing just smells so bad, because there was way too much specificity in there to just toss it all off.鈥
DHS officials did confirm, however, that it and the FBI are investigating a separate suspected hack into the computer-controlled pumping system of a South Houston water treatment facility.
Computer 鈥渟creenshots鈥 of diagrams purported to be those belonging to the computer-controlled waste-treatment system in Houston were posted by a hacker calling himself 鈥減rOF鈥 on Nov. 18 鈥 shortly after the Illinois incident was reported by news media. The DHS had initially downplayed the suspected hacking of the Illinois facility.
鈥淭his was stupid,鈥 prOF wrote on a message posted with the diagrams on the public website Pastebin, often used by hackers to communicate anonymously. 鈥淵ou know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely [messed up] the state of national infrastructure is.鈥
This is what prompted him to show that DHS was wrong, and that such systems were easy to hack.
鈥淚 was furious at the lack of proper government response,鈥 prOF wrote in an e-mail exchange with Chester Wisniewski, senior security adviser at Sophos Canada, a computer security firm. 鈥淭he response they gave was nothing more than 鈥楴othing happened. Probably.鈥 When clearly something did happen.鈥
The hacker also indicated that, in South Houston鈥檚 case, it was a simple matter of guessing what turned out to be a three-character password 鈥 and that many water utilities in the US have both Internet-connected systems with weak protections to boot. Many cybersecurity experts agree with him.
In a global assessment last year of the cybersecurity posture of critical-infrastructure sectors such as the financial industry, electric utilities, oil and gas, and others, the water/sewage sector had the lowest rate of adopting cybersecurity measures, just 38 percent. The study was carried out by the Center for Strategic and International Studies and McAfee, the cybersecurity firm.
Default passwords and Internet connection are not good cybersecurity practice for any critical infrastructure facility, and yet discoveries in the water/sewage sector are 鈥渘ot uncommon,鈥 a senior cybersecurity official with DHS told the Monitor.
Even so, he notes that forensic analysis of the Illinois case showed quite clearly that neither the Illinois water utility nor the computer-control systems vendor serving it had been hit by a foreign cyberattacker 鈥 although he did not explain why the Illinois terrorism center made such a mistake. While utilities often do not keep detailed logs adequate to tell if an intrusion has even taken place, that was not true in this case.
鈥淢y technical people on the ground say they had adequate logging, and enough detail to find out there was no intrusion,鈥 the senior official says. 鈥淢y team could not find any evidence of an intrusion.... In lots of cases, installations with control systems don鈥檛 have good logging, but here the forensics here were fairly good.鈥
The DHS's investigation was simply a matter of running to ground a preliminary report that turned out to be false, not unlike many other reports, he says.
鈥淲e need to underscore that the initial reporting [by Illinois terrorism center] is consistent with type of report we often get,鈥 the senior official says. 鈥淲e don't spend lot of time caveating [telling state officials to indicate weaknesses in their initial reports.] We want to make sure that any suspicions emerge to be investigated, even if they later turn out to be wrong.鈥