Did We Learn Anything from a Possible Cyber-Attack on the U.S. Water Supply?
The Cyber Security Expert Concerned About Lack of Timely Response to Stuxnet-like Attack
A water pump broke down in the Curran-Gardner Township Public Water District (PWD) in Illinois, near the state capital - Springfield. Not a big deal. There was no interruption in the water supply for 2,200 rural customers. Equipment failures happened every day, and they don't make headlines in national news, but this particular incident has become a sensation. What was the reason?
The water pump acted strangely for a period of time. Lately it began turning on and off by itself until its motor was burned out. This particular pump, like all other water pumps in the Curran-Gardner Township PWD, was remotely controlled by a supervisory control and data acquisition (SCADA) system. And according to the PWD trustee Don Craven, "There is some indication that there may have been either an attempt successfully or unsuccessfully to hack into our system apparently through this SCADA software."
A typical SCADA system consists of field devices, server, and clients. Field devices are sensors, which collect various data, and programmable logic controllers (PLCs), which start and stop pumps. A server is a main computer that collects and analyzes data from field devices, starts and stops processes, and raises alarms. Clients are remote computers that connected to the server's network and allow users (normally plant operators and their supervisors) to monitor, start and stop process controlled by a SCADA system.
In the case of the Curran-Gardner Township PWD it was assumed that somebody hacked into a SCADA software vendor's database with user names and passwords for customers' SCADA systems. Then a hacker used stolen credentials to gain control over the SCADA system in the Curran-Gardner Township, and eventually damaged the water pump. The Illinois State Terrorism and Intelligence Center (STIC) took this case very seriously, but the Department of Homeland Security did everything in its power to downplay the significance of the incident and eventually refused to consider it as a cyber-attack.
After that everything was supposed to calm down, and the only person to blame for the failed sensation must be the cyber security expert Joe Weiss, who was the first to post the information about the broken pump in his blog. Joe Weiss's name became known to the general public, because of his involvement into the investigation of the Stuxnet computer worm. Joe Weiss wasn't interested in reporting another sensation. He has a different point. And, before we jump in any conclusion, let's take a closer look at the time-line of events to see what that was all about.
On November 8, 2011 an operator reported a burned down water pump and related that to problems with a SCADA system. An IT service and repair company examined SCADA server's logs and found out that somebody used an Internet provider (IP) address in Russia to log into the SCADA system.
On November 10, 2011, two days later, the Illinois State Terrorism and Intelligence Center (STIC) issued its report "Public Water District Cyber Intrusion" describing that a database with SCADA credentials was compromised and one of them was used for the cyber-attack.
On November 16, 2011, eight days later, the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ISC-CERT) received the report from Illinois STIC and launched its own investigation.
On November 17, 2011 Joe Weiss posted the limited information, based on the state report, about the incident on his blog. Weiss never mentioned the name of the state or the public water district. His biggest concern was that no other water utilities companies were notified about the incident.
On the same day the Department of Homeland Security confirmed to the reporters, who were following Joe Weiss's lead, the fact of an on-going investigation and identified the location of the utility company as Springfield, Illinois.
On November 18, 2011 the spokeswoman for City Water, Light and Power utility company, which serves the city of Springfield, denied that the incident mentioned by the Department of Homeland Security took place at their facility. She made an assumption that it was the Curran-Gardner Township utility company.
Late afternoon through the local newspaper the Curran-Gardner Township PWD trustee Don Craven confirmed the fact of the federal investigation of the well pump failure. He also made several comments such as, "Whether the burnout of that pump was related to this what might or might not have been a hacking, we don't know" and "There is some indication that there may have been either an attempt successfully or unsuccessfully to hack into our system apparently through this SCADA software."
The same day, ten days later, the community organization of water sector professionals the WaterISAC (Information Sharing and Analysis Center) sent e-mails to its members notifying them of the information in the media about an investigation of a possible threat.
On November 23, 2011 the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ISC-CERT) released a statement that there was no evidence of cyber terrorism, and the initial report by the state organization was based on "raw, unconfirmed data".
It took the Department of Homeland Security eight days to learn about possible hacking into the database of SCADA credentials and no warning was issued. And this is exactly what concerns Joe Weiss. The lack of communication and timely response in a case of a Stuxnet-like attack on SCADA systems make them completely vulnerable. Keep in mind that SCADA systems control not only the water supply, but also the electric grid, natural gas and oil pipelines, traffic lights, and the majority of industrial processes. In this type of situation should we all follow the proverb - better be safe than sorry?
Sources:
- 1. Cyberattack investigation centers on Curran-Gardner water pump by Deana Stroisch.
The State Journal-Register. Springfield, IL. Posted November 18, 2011. - 2. Water System Hack - The System Is Broken by Joe Weiss.
- 4. Is the WaterISAC Helping the Water Industry? - The Illinois Water Hack Raises Serious Questions. by Joe Weiss.
- 5. H(ackers)2O: Attack on City Water Station Destroys Pump by Kim Zetter. Wired.com
- 6. KrebsOnSecurity: Cyber Intrusion Blamed for Hardware Failure at Water Utility
- 7. SiliconeANGLE: Department of Homeland Security Slams Re Slams Reports of Cyber Sabotage at Illinois Water Pump by Kit Dotson
Published by Roman Poroshyn
The World's Largest Stuxnet Worm Collection Belongs to SymantecBased on investigation of 3,280 Stuxnet samples Symantec reveals new information about attacks on Iranian targets.- Industrial Automation for Smooth OperationsHorner APG are global leaders in designing and manufacture of Industrial Automation, factory automation control products.
- Modern Marking Systems in the Industrial MarketThis article, gives you an idea about the different marking systems that exists today and it also gives you an idea about pad printing, automation systems, ultrasonic welding etc
- Rolling Blackouts in TexasLoss of the grid in Texas now would be a devastating disaster, but the dominoes are already lined up and ready to fall.
- Five Lessons for Smart Grid Business SuccessLearn these five lessons for Winning in the Smart Grid Space.
- Stuxnet is Just the Beginning
- Stuxnet: The True Story of Hunt and Evolution
- Stuxnet Malware Could Increase International Tensions
- Cyber Warfare: Stuxnet, a "Secret Agent" Defying Imagination!
- Stuxnet Cyber Attack Launched Against Iran
- The Iranian Cyber War Continues: At First Stuxnet, Now Stars, and Then Stripes?
- Stuxnet Computer Virus Made to Attack Iranian Nuclear Reactors?
3 Comments
Post a CommentWow!
We are not immortal and Superman does not patrol the skies. Let's remain diligent:) Good report.
Interesting report. Thanks.