Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

FAQ: An update on the Illinois water district non-hack

As it turns out, reports that Russian hackers broke into the Curran-Gardner Water District network in Illinois with usernames and passwords stolen from a consultant to the district and then accessed its control system to burn out a pump, are not true.

The pump in question was not turned on and off on command from the control platform that oversees it until it overheated and failed, it now appears.

The incident last month was also not the first known case of a cyberattack against U.S. critical infrastructure launched from a foreign power as it was initially touted.

ANALYSIS: America's critical infrastructure security response system is broken

IN PICTURES: The year in security mischief-making

So what did happen and how did the story get so out of hand? Here are some questions and answers to shed some light. The answers are based on original reporting and published reports.

So what did happen?

A pump burned out in the Curran-Gardner Water District infrastructure sometime around the beginning of November. In trying to figure out why it burned out, a consultant noted that about four months earlier someone had accessed the district's supervisory control and data acquisition (SCADA) network from a Russian IP address. The username and password of a SCADA consultant the district contracts with was used to gain entry.

The SCADA consultant whose username and password were used actually did access the system from Russia in June while his family was on vacation, according to a Wired interview with the SCADA consultant Jim Mimlitz, owner of Navionics Research. He says he was doing so in response to a request from Curran-Gardner to examine historical data housed on machine hosting the SCADA software.

A different consultant asked in November to look into the cause of the pump failure noted the log entry from when Mimlitz accessed the system in June. Water district officials reported the incident to the Environmental Protection Agency as a precaution.

What's the big deal?

The report of the pump failure and the access from the Russian IP address made its way to the Illinois Statewide Terrorism & Intelligence Center (STIC), which issued a Nov. 10 report describing the incident in alarming terms. The report "Public Water District Cyber Intrusion" says the water district's network was hacked from a Russian IP address. It was believed, the report says, that the hackers had gained access to legitimate usernames and passwords from the consultant who sold the district its SCADA software (that is, Navionics). Those stolen credentials included usernames and passwords of other clients of the SCADA software integrator, the report says.

For the two or three months leading up to the pump failure, the report says, glitches were observed in the remote access system to the SCADA network. Whoever hacked into the SCADA network cycled the power on and off to the pump in question, resulting in the pump burning out, according to the Illinois STIC report.

Isn't that serious?

It seems so. One recipient of the Illinois STIC report showed it to its SCADA consultant, Joe Weiss. Weiss says he thought the report contains information that ought to have been widely disseminated among water authorities, yet no word of the hack was coming out of official channels. After a week or so, he decided to leak the report to the press, initially the Washington Post, which ran a story under the headline, "Foreign hackers targeted U.S. water plant in apparent malicious cyber attack, expert says."

Other outlets picked up the story, identifying the attack as the first successful hack to cause damage to U.S. critical infrastructure launched from a foreign country.

How did the U.S. react?

The Department of Homeland Security's (DHS) Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT) issued a statement saying it could not corroborate the report from Illinois STIC, also known as the Illinois Fusion Center: "There is no evidence to support claims made in the initial Fusion Center report -- which was based on raw, unconfirmed data and subsequently leaked to the media -- that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant. In addition, DHS and FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported. Analysis of the incident is ongoing and additional relevant information will be released as it becomes available."

Why did Illinois STIC send out a report based on raw, unconfirmed data?

That's being reviewed internally, says Monique Bond, a spokeswoman for Illinois STIC. The review seeks how the information was passed on until it became public, she says, and what the status of the information was -- for example, was it raw intelligence or actionable information?

Where did the information in the report come from?

DHS, Bond says.

Wait, didn't DHS say there's no evidence to support the Illinois STIC report?

That's right, but apparently the initial report was before DHS investigated thoroughly.

Why did Illinois STIC send out such an alarming notice without checking it out?

That's something else Bond says the internal review is looking into.

What is a STIC anyway?

STICs are collaborative groups that include state police, FBI, DHS and other pertinent agencies that pool information trying to spot malicious activity and stop it. Each one -- there's more than 70 of them -- sets up its own procedures.

Was the initial STIC report secret?

It was marked unclassified and sent to a limited list of people.

So what's with Joe Weiss spreading it around?

Weiss says that if the information was worth sending out at all, it was worth sending out broadly and as soon as possible to people who might benefit from it. After all, if user credentials protecting public water supplies had been compromised or if a foreign power was starting to attack critical infrastructure, it would be important for potential targets to know about it. For example, other water districts using the same SCADA integrator would want to know their usernames and passwords might have been stolen. He says he waited days for a follow-up report or broader notification through conventional channels, but none came. He took it upon himself to spread the word via the press.

Read more about wide area network in Network World's Wide Area Network section.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: CERT, Environmental Protection Agency, FBI, Intrusion, LAN, TIC
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: security
Latest Blog Posts
Whitepapers
  • Why performance management? A guide for the midsize organisation
    Midsize organisations are uniquely positioned to take advantage of a performance management approach to business. Compared with larger companies, they have more agility to bring information and people together and respond faster to changing market conditions. With one performance management solution, midsize companies can turn disconnected data into information, turn information into valuable insight and turn insight into action.
    Learn more »
  • Top Reasons to Implement an SOA Governance Strategy: A List for IT Executives
    Service-oriented architecture (SOA) has moved beyond hype to widespread acceptance as an IT strategy for delivering business value. SOA promotes the notion of modularity, providing overwhelming flexibility and superior economics for addressing business demands. However, undertaking the transformation to SOA is not without its challenges. If left unchecked, your inventory of SOA assets will become unmanageable; the reuse of services will diminish in favor of custom development; or even worse, modifications will be made to your existing services that break other business processes. The purpose of SOA governance is to help you ensure that this does not happen. This paper outlines the most compelling reasons for you to establish SOA governance within your organization.
    Learn more »
  • Cloud printing in the enterprise: liberating the mobile print experience from cables, operating systems and physical boundaries
    In recent years mobile technology has proliferated throughout the enterprise. Today, virtually no one in the workforce is bound to a desk to work, check e-mail or communicate with co-workers and customers. At the same time, we’re seeing the rise of cloud technologies, loosely defined as online resources, often provided as a service, that manage the data and software that used to run solely on PCs. This merger of mobile and cloud technologies is on its way to becoming one of most significant enablers of business productivity and innovation seen in the past decade. Read more.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.