Illinois utility targeted by cybersaboteurs? US pours water on the idea.
The Illinois water utility supposedly was the first critical bit of US infrastructure damaged by foreign cybersaboteurs. The DHS and FBI found no evidence it was hacked, but are now investigating another suspected attack.
An Illinois water utility suspected of being the first piece of critical infrastructure on US soil to be successfully targeted by foreign cybersaboteurs was not sabotaged at all, a Department of Homeland Security investigation found.Skip to next paragraph
Subscribe Today to the Monitor
At the same time, DHS and the Federal Bureau of Investigation are investigating an apparently unrelated, yet concurrent cyberintrusion into a South Houston water utility's computerized control system.
In the Illinois utility’s case, a computer-controlled pumping system was reported to have been hacked – and a pump burned out – by hackers operating through a computer with an address in Russia, according to a Nov. 10th report by the Illinois Statewide Terrorism and Intelligence Center, a federal-state cooperative venture. If true, it would have been by far the more serious cyberattack.
That’s because in addition to the pump damage, passwords and user identifications granting access to other utilities were reportedly stolen from a water-utility vendor, raising the possibility that other utilities could be hacked, too, and with far more serious damage.
Some details of the Illinois report were first revealed on the blog of Joe Weiss, president of Applied Control Solutions and a control-system security expert. But the DHS investigation of the Illinois terrorism center's “raw, unconfirmed” information found nothing suspicious, federal officials say.
“After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the [computerized industrial control] system of the Curran-Gardner Public Water District in Springfield, Illinois,” DHS spokesman Chris Ortman said in the statement e-mailed to the Monitor.
“There is no evidence to support claims made in initial reports – which were based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen or that the vendor was involved in any malicious activity that led to a pump failure at the water plant.”
Sensitivity to cyberattacks on computerized industrial control systems has soared in the past year since the discovery of Stuxnet, the first publicly confirmed cybersuperweapon – a digital guided missile that could emerge from cyberspace to destroy a physical target in the real world. Its target was Iran’s nuclear fuel facilities, and security experts predicted that copycat attacks on real-world industrial equipment could follow within a year or two.
Despite such concerns, DHS and FBI have concluded “there was no malicious traffic from Russia or any foreign entities, as previously reported,” Mr. Ortman's statement says. “Analysis of the incident is ongoing and additional relevant information will be released as it becomes available.”
But the DHS findings that there was nothing at all to what had seemed to be fairly specific findings in the state report were less than reassuring to Mr. Weiss. Local media reports also quoted the utility's officials saying there had been a cyberattack.
“Why would the state terrorism center put out such a definitive report to their critical infrastructure operators in Illinois,” he wonders. “That Illinois report never used one word to indicate it was preliminary or raw.... This whole thing just smells so bad, because there was way too much specificity in there to just toss it all off.”