Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Illinois water authority hack: Threat has been looming for years

While nobody's willing to say whether a burned out pump at an Illinois water authority is the result of a cyberattack, the big issue remains that nobody can say that it wasn't, according to experts.

"Whether it happened or not, there's a reality that it can happen," says Michael Arceneaux, managing director of WaterISAC, a national clearinghouse and alert system for water and wastewater system security.

And nobody seems to be doing much about it.

FAQ: What you should know about Illinois water-district SCADA breach

The overriding weakness of these supervisory control and data acquisition (SCADA) systems is that they are ultimately connected to the Internet, says Ira Winkler, a penetration-testing consultant who for years has been making public calls for better SCADA security. The systems were originally set up to be isolated, but as businesses and utilities using them grew they connected to their enterprise networks, which in turn connected to the Internet.

That means if attackers can hack into the enterprise network, from there they can hack into the SCADA network. "I don't know why this is acceptable," Winkler says. "It's devastatingly stupid."

The underlying problem is that there are no regulations that force owners of these networks to secure them. There are guidelines and recommendations and voluntary standards, but nothing with legal bite, he says, that can issue penalties for failing to comply.

In general, the security of networks like the one that may have been hacked at the Curran-Gardner Water District lacks the protections and forensics that are standard in most corporate networks, says Joseph Weiss, managing partner at Applied Control Systems LLC and author of the book "Protecting Industrial Control Systems from Electronic Threat." He is also the one who made the Curran-Gardner incident public in a blog post last week.

Weiss is concerned that the Department of Homeland Security hasn't identified the Illinois incident as a cyberattack despite its being called such by the Illinois Terrorism Fusion Center, an anti-terrorism agency coordinated by the Illinois State Police. He feels that the word should get out so other water authorities can be on the alert.

Arceneaux says his group has issued an advisory to its members, but doesn't call it a cyberattack because it has no direct knowledge of what happened. "We go by what the FBI And DHS made available," he says, and they have said nothing conclusive.

"From what they had, there may have been some strange things going on this summer with their SCADA system," he says, "then the pump fails." But there is no evidence linking the two; they may be coincidence, he says.

Weiss says he's seen a document from the Illinois Terrorism Fusion Center that says user names and passwords were stolen from the SCADA consultant to the Curran-Gardner water district. The district noted what are referred to as glitches in its remote access system over the past few months.

Then earlier this month, someone accessing the network from a Russian IP address managed to turn the SCADA system on and off, which also turned the pump on and off, which resulted in its failure, he says.

His guess is that the attackers weren't trying to destroy the pump, but were rather just experimenting with what capabilities they had and in doing so ruined the pump. Perhaps their efforts were preparation for a larger attack, he says.

Winkler agrees that destroying the pump was probably inadvertent because if the attackers were preparing for a larger attack later, they wouldn't want to cause damage that would reveal they had the ability to do so.

And he leaves open the possibility that the attackers were on a lark, breaking in just to see whether they could and then poking around once they did.

Winkler says the Russian IP address doesn't offer much in the way of identifying who is responsible for the attack. Using a Russian server as a relay is just good hacking practice to help hide where the hacker is really located since Russian officials are reluctant to help out in cyber investigations. "If you're going to hack, take the basic steps to cover your tracks," he says.

Read more about wide area network in Network World's Wide Area Network section.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: FBI, LAN
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: cybercrime, legal, scada, security
Latest Blog Posts
Whitepapers
  • OVUM Report: Governance Risk and Compliance-- GRC usage and buying trends in the ANZ markets
    The existence of an established and stable governance risk and compliance strategy is extremely important to public and private sector organisations as they strive to meet an evergrowing range of regulatory demands. Given the current constraints, it is one of the few areas where the vast majority of organisations intend to either maintain or in many cases increase spending. Read more.
    Learn more »
  • Endpoint Buyers Guide
    It takes more than antivirus to stop today’s advanced threats. Protecting corporate assets requires a complete security solution that includes anti-malware, host-based intrusion prevention (HIPS), web protection, patch assessment, application and device control, network access control, data loss prevention, firewall and other capabilities. In short, you need an endpoint protection solution. We examine the top vendors according to market share and industry analysis: Kaspersky Lab, McAfee, Sophos, Symantec and Trend Micro. Each vendor’s solutions are evaluated according to: Product features and capabilities, Effectiveness, Performance, Usability, Data protection, and Technical support.
    Learn more »
  • Restore control, Reinforce security & Reduce Cost
    Uncontrolled print environments and practices present a serious risk to the profit and security of your organisation. IT is under pressure to protect sensitive information, secure devices, and improve the way they manage the entire fleet. To gain better control, your organisation needs to implement plans that meet industry regulations while also increasing productivity, lowering costs, and providing users with more flexible imaging and printing solutions. Read more.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments