Federal authorities are investigating whether a sophisticated, remote cyberattack is to blame for the disruption of a pump at an Illinois public water facility last week, or if the pump's "failure" was the result of an ordinary malfunction.
Despite a denial from the Department of Homeland Security that any attack occurred, the security researcher who disclosed the incident stands behind his findings, and worries that other critical infrastructure facilities may be in danger.
"This is real," Joe Weiss, the control systems security consultant who disclosed the incident on his blog yesterday (Nov. 17) told SecurityNewsDaily. "This was a cyberintrusion incident."
The report
Weiss said he obtained the "Public Water District Cyber Intrusion" report released by the Illinois Statewide Terrorism and Intelligence Center (STIC) on Nov. 10. The report, Weiss said, explained that hackers penetrated the network of a Supervisory Control and Data Acquisition System (SCADA) vendor — SCADA systems are used to automate operations at many industrial control facilities — and stole usernames and passwords which they then used to make a water pump turn on and off, and eventually stop working entirely.
The report, which has not been released to the public, said that the hackers operated from Russian IP addresses, Weiss told SecurityNewsDaily, and were tampering with the SCADA-controlled water pump for the past two to three months, before a water facility employee noticed on Nov. 8 that a pump was experiencing "glitches" and not functioning correctly. The employee notified a computer repair company, which determined that the SCADA system had been hacked.
"This is arguably the first case where we've had a hack against critical infrastructure from outside the U.S. that has caused damage," Weiss told SecurityNewsDaily. "We don't even know what other utilities could be at risk, that's what's so scary."
Weiss said he disclosed the incident because he felt the Department of Homeland Security should have reported that the attack occurred. He said the report identified Springfield, Illinois as the site of the incident, but it did not specify what public water utility was affected.
DHS denies the hack
The DHS confirmed today (Nov. 18) that it is investigating the disrupted pump, but it has no reason to believe a hacker caused the incident.
"DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield, Ill. At this time, there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety," Peter Boogaard, spokesman for the DHS, told SecurityNewsDaily.
Boogaard added that if the DHS or the Industrial Control Systems Cyber Emergency Response Team (ICS – CERT) "identifies any information about possible impacts to additional entities, it will disseminate timely mitigation information as it becomes available."
Gap in the story
Amber Sabin is the public information officer for City Water, Light & Power (CWLP), the municipal electric and water utility for Springfield, Ill. Responding to a call identifying CWLP as the site of the failed pump and possible cyberattack, Sabin told SecurityNewsDaily that media reports have wrongly identified her agency.
"We were not under cyberattack," Sabin told SecurityNewsDaily. "We've been identified as the utility by mistake. It's not City Water, Light and Power."
A spokesperson for the city of Springfield confirmed that CWLP is the only public water facility serving the city.
Based on the publicly available information, which remains scant at this point, Tiffany Strauchs Rad, a SCADA vulnerability expert, told SecurityNewsDaily she isn't entirely sure that the disrupted pump "was a malfunction or a malicious hack," although she noted that Weiss is a well-respected researcher in the SCADA industry.
In a CNN article, Sean McGurk, former director of the National Cybersecurity and Communications Integration Center, said the water pump error might simply have been a routine malfunction or an "unintended consequence of maintenance."
"This is just one of many events that occur almost on a weekly basis," McGurk said.
SCADA systems are easy, attractive targets
Whether or not this particular failed water pump was the result of a hack, experts agree that the threat of such an event happening are real and should be prepared for.
"Industrial control facilities using SCADA and ICS should be alert to these risks regardless of whether this particular instance was a malicious attack or not," Rad told SecurityNewsDaily. "Over the past decade, a lot of information security research has elucidated many of these vulnerabilities. It is not an overexaggeration to state that there are many facilities that could be at risk."
"Even if it didn't happen, it's not an unlikely thing to have happened," said Dave Aitel, chief executive officer of Miami-based security firm Immunity, Inc. Aitel, a former computer scientist with the National Security Agency (NSA), said that until major changes are made in the way SCADA-controlled facilities operate, threats like this are going to continue.
To physically upgrade a SCADA system, a facility needs to shut down. It's an action most facilities simply can't afford to take.
"The ability to turn off a power plant is very difficult to build in [to SCADA software]" Aitel told SecurityNewsDaily. "That's a huge extra expense that most likely your local utility doesn't pay for."
To put in place the upgrades, a facility would need to strengthen its defenses against cyberattacks that would not only be costly, but also difficult and simply not a top priority. Yet Aitel said that just as online crooks have begun targeting smaller enterprises with less-rigorous security, like small-town banks, industrial facilities in middle-America towns like Springfield are attractive targets.
"It doesn't have to be Goldman Sachs for people to make off with real money," Aitel said, adding that firms like Goldman Sachs are becoming less attractive because "they have real money" to protect themselves.
Critical infrastructure facilities must disconnect to survive
Aitel has two words for SCADA-based facilities to fend off damaging cyberattacks: "Avoid connectivity."
He said keeping critical operations — such as water pumps and nuclear reactors — disconnected from the main network reduces the risk that an attacker can infiltrate one system and wreak total havoc from there.
"At some point, you have to have someone at the top who says no to increasing connectivity," Aitel said. "It almost seems counterintuitive — you can manage it better if you can talk to it, but so can a malicious hacker."
An air gap, in which a secure network is physically, electrically and electromagnetically isolated from any insecure network, is "the only way to secure something that you otherwise could not secure," Aitel said. "It will stop 99 percent of people that are going after you."
- 10 Things You Didn't Know could Be Hacked
- How Easily Can a Power Plant Be Hacked?
- Anti-Spyware Software Review