The Department of Homeland Security is denying that hackers broke into an Illinois water utility SCADA system and caused a water pump to self-destruct. But the cybersecurity expert who leaked the initial government report is standing by his sources.
That’s the latest out of the unfolding saga of what may, or may not, be the first malicious cyberattack on U.S. utility infrastructure -- or, maybe, just a broken-down water pump.
The story came out last week after Joe Weiss, managing partner of cybersecurity firm Applied Control Solutions in Cupertino, Calif., reported it on his blog. Weiss cited a Nov. 10 disclosure from the Illinois State Terrorism and Intelligence Center (STIC), regarding an investigation into why a water pump at the Curran-Gardner Township Public Water District had broken down.
The report found that utility workers had observed minor glitches in the SCADA system for two to three months before Nov. 4, when the SCADA system was powered on and off rapidly enough to burn out a water pump motor. The report also cited evidence of a cyber attack, including an IP address that was traced back to Russia, and evidence of theft of user names and passwords from a software vendor involved in the utility’s SCADA system.
Federal officials refused to confirm Weiss’s allegations last week, saying that the DHS and FBI were investigating. But a Tuesday statement from DHS spokesman Chris Ortman says that investigation has “concluded that there was no malicious traffic from Russia or any foreign entities, as previously reported.”
It also said there was no evidence that “any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant.” In explaining the discrepancy with the information from the Illinois terrorism center, DHS said the report Weiss cites can’t be substantiated and was based on “raw and unconfirmed data.”
Weiss defended his reporting in a Tuesday blog update, saying that it was based on a formal disclosure. He also added this quote from the report: "It is unknown at this time the number of SCADA usernames and passwords acquired from the software company's database, and if any additional SCADA systems have been attacked as a result of this theft."
Weiss’s post conceded that “if DHS turns out to be correct in its assumptions, then anyone acting on the STIC warning would have been wasting precious resources addressing a problem that doesn’t exist.” But he defended his decision to disclose it, on the grounds that other water utilities need to be given information to protect themselves from a potential attack.
This is far from the first time that utility cybersecurity vulnerabilities have been highlighted, though it is the first reported instance of actual damage being done via an alleged cyber-intrusion. David Marcus, director of security research for McAfee Labs, wrote in a blog post last week that the entire incident raises questions about how water utilities and other SCADA system operators are managing their security.
“My gut tells me that there is greater targeting and wider compromise than we know about,” he wrote, mainly because there isn’t much in the way of “cyberforensics and response procedures” going on at big SCADA-using entities. That particularly applies to water, wastewater and sewage plants, which were lagging other sectors in security measures, according to a McAfee report last year (PDF).
Security is a major challenge for utilities that are seeking to secure legacy control systems that are being hooked up to the internet for the first time. Here’s some background on why utilities need to be concerned about cybersecurity:
- - - - -
Human failures can open newly networked utility systems up to remote attacks. Tom Parker, vice president at computer security firm FusionX, showed at a Black Hat conference in August how he could use simple code and Google searches to theoretically take control of a water treatment facility’s remote terminal units (RTUs), particularly when the RTUs are protected by simplistic and easily guessed passwords like “1234.”
But penetration of SCADA systems can take harder-to-prevent routes as well. One example is Stuxnet, a virus that is believed to have been targeting Iran’s nuclear materials program by infecting Windows computers and thence infiltrating SCADA systems built by Siemens. It was just about a year ago that cybersecurity experts first discovered Stuxnet, but it’s believed that the virus may have been introduced years beforehand -- meaning that SCADA systems around the world may be carrying a version of it right now.
More recently, a virus known as Duqu has drawn the attention of cybersecurity experts. Duqu appears to operate in a similar way to Stuxnet, exploiting a vulnerability in Windows to lodge itself inside servers and collect data passing through them, which could allow for espionage or gathering security data for further exploitation. The computer virus has been shifting around the world, from India to Europe and reportedly back to Iran, as security experts seek to track it down and eliminate it.
Once hackers have gotten access to a SCADA system, there are plenty of actions they can take to damage the system they’ve hijacked. Back in 2007, reports emerged of a DHS experiment that showed how the control system of a gas-fired generator at Department of Energy’s Idaho National Lab could be hacked in a way that destroyed the generator, using a mock-up of a typical power plant’s control system.
Threats can also come from within the utility. In 2000, a disgruntled former employee of a Queensland, Australia water treatment plant decided to remotely access the system and release millions of gallons of sewage into nearby streams and parks.
The North American Electricity Reliability Council (NERC), an industry group in charge of setting critical infrastructure protection (CIP) guidelines for U.S. and Canadian utilities, has just this year begun auditing utilities on the compliance they’ve been self-reporting over the past few years.
NERC recently held a grid security exercise for utilities seeking to comply with its “critical infrastructure protection” program, which might provide some examples of the security precautions that are being tackled.