Lessons from the 'water plant hack' that never happened

FBI found no evidence of a cyber intrusion at an Illinois utility, but questions remain -- along with lessons for preventing future attacks

Two weeks ago, the Internet was abuzz with news of a network intrusion into a utility's operation and control system that caused months of glitches and the eventual failure of a water pump. Details of the alleged intrusion came from a leaked alert issued earlier in November by Illinois's fusion center, the Illinois Statewide Terrorism and Intelligence Center that is supported by the U.S. Department of Homeland Security. The alert suggested that an intrusion from a Russian Internet address was to blame.

While many media reports touted the attack as potentially the first known intrusion to damage critical infrastructure, the DHS soon refuted details of the initial alert, following an investigation by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

"After detailed analysis of all available data, ICS-CERT and the FBI found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois," stated a statement (PDF) issued last week.

Supervisory control and data analysis (SCADA) systems are a common industrial control system used by utilities, manufacturers, and other infrastructure providers.

A seemingly unlikely explanation for the diverging accounts emerged late last week: A contractor apparently accessed the system -- by the utility's request -- while vacationing in Russia. The Washington Post first reported the connection between the contractor and the alert. On Wednesday, Wired interviewed the contractor, who supported the assertions that no attack occurred.

A number of questions remain -- such as why the Illinois fusion center and the DHS did not connect the dots before issuing the report -- yet a number of lessons are already apparent.

Lesson No. 1: Information sharing is still broken

The industrial control system expert that leaked the memo did so because he thought the information should not be secret. If the assertions in the original alert were true, utility providers should be warned, Joseph Weiss, a managing partner at Applied Control Solutions, wrote in his original blog post.

Perhaps more troubling is that companies report incidents with the expectation of anonymity, an expectation that the DHS apparently failed to uphold when it identified the location of the company that reported the incident. Reporters later gleaned the name of the utility. As a result, fewer companies will feel secure in reporting issues to state fusion centers, the organizations that are supposed to aid the United States in dodging a domestic attack.

"Talk about a litmus test for what works and what doesn't work, this has been an utter disaster," Weiss said.

Lesson No. 2: U.S. agencies need better communications
Another issue is the length of time it took for the state fusion center to provide information to the Department of Homeland Security and the further delay until action was taken, says Dale Peterson, president of industrial-control system security firm Digital Bond. If the DHS had been on top of the issue, it could have nipped the media frenzy in the bud -- or notified affected vendors, if the issue had been real.

"Even if the evidence is scant and inconclusive, this should have been sent to the go-to group at DHS for industrial-control-system (ICS) security," Peterson wrote in an analysis. "They have been behind the curve on informing asset owners or tamping down hysteria, whatever proves to have been the appropriate course of action."

Lesson No. 3: The utilities are vulnerable
The final lesson: Don't dismiss all purported attacks on U.S. infrastructure. The DHS has still not drawn a firm conclusion about another incident where a hacker, inspired by reports of the Illinois hack, apparently accessed a Houston utility's SCADA system, taking screenshots to demonstrate the utility's poor security.

This week Michael Welch, deputy assistant director of the FBI's Cyber Division, told attendees at a London security conference that attackers have been able to compromise utility networks, according to a report in Information Age.

"We just had a circumstance where we had three cities, one of them a major city within the U.S., where you had several hackers that had made their way into SCADA systems within the city," Welch said, according to the site.

This story, "Lessons from the 'water plant hack' that never happened," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies