Lesson No. 1: Information sharing is still broken
The industrial control system expert that leaked the memo did so because he thought the information should not be secret. If the assertions in the original alert were true, utility providers should be warned, Joseph Weiss, a managing partner at Applied Control Solutions, wrote in his original blog post.
Perhaps more troubling is that companies report incidents with the expectation of anonymity, an expectation that the DHS apparently failed to uphold when it identified the location of the company that reported the incident. Reporters later gleaned the name of the utility. As a result, fewer companies will feel secure in reporting issues to state fusion centers, the organizations that are supposed to aid the United States in dodging a domestic attack.
"Talk about a litmus test for what works and what doesn't work, this has been an utter disaster," Weiss said.
Lesson No. 2: U.S. agencies need better communications
Another issue is the length of time it took for the state fusion center to provide information to the Department of Homeland Security and the further delay until action was taken, says Dale Peterson, president of industrial-control system security firm Digital Bond. If the DHS had been on top of the issue, it could have nipped the media frenzy in the bud -- or notified affected vendors, if the issue had been real.
"Even if the evidence is scant and inconclusive, this should have been sent to the go-to group at DHS for industrial-control-system (ICS) security," Peterson wrote in an analysis. "They have been behind the curve on informing asset owners or tamping down hysteria, whatever proves to have been the appropriate course of action."
Lesson No. 3: The utilities are vulnerable
The final lesson: Don't dismiss all purported attacks on U.S. infrastructure. The DHS has still not drawn a firm conclusion about another incident where a hacker, inspired by reports of the Illinois hack, apparently accessed a Houston utility's SCADA system, taking screenshots to demonstrate the utility's poor security.
This week Michael Welch, deputy assistant director of the FBI's Cyber Division, told attendees at a London security conference that attackers have been able to compromise utility networks, according to a report in Information Age.
"We just had a circumstance where we had three cities, one of them a major city within the U.S., where you had several hackers that had made their way into SCADA systems within the city," Welch said, according to the site.
This story, "Lessons from the 'water plant hack' that never happened," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.