Cyberattack on Illinois water utility may confirm Stuxnet warnings
A state report claims that a foreign cyberattack disabled a water pump at an Illinois water utility, say experts who have seen the report. After discovery of the Stuxnet cyberweapon a year ago, many experts predicted that cyberattacks on US infrastructure were imminent.
A foreign cyberattack on the computer control systems of an Illinois water utility system earlier this month burned out a water pump, according to a recent state report. The attack may be the first known attempt to successfully destroy a piece of critical US infrastructure, say industrial control-system experts.
The Federal Bureau of Investigation and other agencies are investigating the Nov. 8 cyberattack, said Peter Boogaard, a spokesman for the Department of Homeland Security (DHS), in a written statement. The name of the utility was not released.
The implications of the attack could be far broader than just wrecking a single pump. Hackers may have also stolen passwords and other information needed to gain access to many more water utility control systems across the United States, according to the Nov. 10 report by the Illinois Statewide Terrorism and Intelligence Center, a federal-state cooperative venture. Some of its details were revealed Thursday on the blog of Joe Weiss, president of Applied Control Solutions and a control-system security expert.
The attack occured just more than a year after the discovery of Stuxnet, the first publicly confirmed cyber superweapon – a digital guided missile that could emerge from cyberspace to destroy a physical target in the real world. Its target was Iran's nuclear fuel facilities, and security experts predicted that copycat attacks on real-world industrial equipment could follow within a year or two.
The Nov. 8 attack in Illinois wasn't a Stuxnet-type attack, but it suggests a higher level of interest among hackers in controlling industrial systems – and sabotaging them.
"This is a big deal," Mr. Weiss says. "It's arguably the first case where we've had critical infrastructure targeted by people outside the US and equipment damaged as a result. But the really big issue is that someone hacked a [software vendor who sells control systems to water utilities] just to get at the user-IDs and passwords for the utilities that were its customers."
The DHS downplayed the incident.
"DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield, Ill.," said Mr. Boogaard. "At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety."
An analysis of the Illinois water utility company's computer logs indicates the attack came from the Internet address of a computer in Russia. The Illinois center's report is titled "Public Water District Cyber Intrusion," according to Weiss. He read sections of the report, marked "For Official Use Only," to this reporter. The details were confirmed by a water industry expert, who has seen a similar official document and asked to remain anonymous for fear of being excluded from confidential reports in the future.
"Sometime during the day of Nov. 8, a water district employee noticed problems with the SCADA [Supervisory Control And Data Acquisition] system," said Weiss, quoting the report. "It [the SCADA system] was going on and off, resulting in the burnout of the pump."
A technician who checked the logs of the SCADA system found that "the system had been remotely hacked into from an IP address located in Russia," Weiss said, continuing from the report.
But the hackers had likely been inside the utility's computer systems for at least several months because "workers had begun to notice minor glitches" in the system access function as early as September, Weiss said.
The report also said: "It is unknown at this time the number of SCADA usernames and passwords acquired from the software company's database, and if any additional SCADA systems have been attacked as a result of the theft."
If true, the theft could have alarming consequences, because it indicates hackers infiltrated the Illinois control system only after gaining access to it apparently from a software supplier to the utility, Weiss said and other experts confirmed.
"The report doesn't say if the company that got hacked is a small system integrator or a big vendor," Weiss says. "I'm hoping it's a small one with a lot fewer clients."
In that way, the attack is quite different from one of the earliest known cyber-infrastructure attacks – by a disgruntled former employee of a Queensland, Australia, water treatment utility. In 2000, he used his insider knowledge to access that system remotely and release hundreds of thousands of gallons of sewage.
Recently, the sort of attack employed against the Illinois facility has become a standard approach. High-end hackers find it more efficient to go after software vendors and security-system vendors who have the codes and passwords of their clients, security experts say. If a hacker can get access to the mother lode, it's much less time consuming than hacking each target individually.
"It wasn't necessarily just an attack on that one water-treatment facility," says David Aitel, president of Immunity Inc., a Miami-based cybersecurity company. "A large part of this appears to be about someone attacking the supply chain for industrial control-system devices. If you can attack the supply chain, you can essentially hit many facilities. If these reports are true, you're looking at a very large threat – and someone who really knew what they were doing."
Hackers, possibly operating from China, earlier this year stole access data from RSA Security Solutions, which provides secure remote computer access to defense contractors and government agencies. Some companies that used RSA devices were later hacked using the stolen information.
Weiss says he posted parts of the Illinois report, without indicating the location of the utility that got hit, in order to alert other water utilities that their control systems may have been hacked, too. He also worries that the Department of Homeland Security's Industrial Control System Computer Emergency Response Team was not doing a good job informing them.
DHS pushed back against this allegation.
If it "identifies any information about possible impacts to additional entities, it will disseminate timely mitigation information as it becomes available," said Boogaard.