An Illinois water utility suspected of being the first piece of critical infrastructure on US soil to be successfully targeted by foreign cybersaboteurs was not sabotaged at all, a Department of Homeland Security investigation found.
At the same time, DHS and the Federal Bureau of Investigation are investigating an apparently unrelated, yet concurrent cyberintrusion into a South Houston water utility's computerized control system.
In the Illinois utility’s case, a computer-controlled pumping system was reported to have been hacked – and a pump burned out – by hackers operating through a computer with an address in Russia, according to a Nov. 10th report by the Illinois Statewide Terrorism and Intelligence Center, a federal-state cooperative venture. If true, it would have been by far the more serious cyberattack.
That’s because in addition to the pump damage, passwords and user identifications granting access to other utilities were reportedly stolen from a water-utility vendor, raising the possibility that other utilities could be hacked, too, and with far more serious damage.
Some details of the Illinois report were first revealed on the blog of Joe Weiss, president of Applied Control Solutions and a control-system security expert. But the DHS investigation of the Illinois terrorism center's “raw, unconfirmed” information found nothing suspicious, federal officials say.
“After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the [computerized industrial control] system of the Curran-Gardner Public Water District in Springfield, Illinois,” DHS spokesman Chris Ortman said in the statement e-mailed to the Monitor.
“There is no evidence to support claims made in initial reports – which were based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen or that the vendor was involved in any malicious activity that led to a pump failure at the water plant.”
Sensitivity to cyberattacks on computerized industrial control systems has soared in the past year since the discovery of Stuxnet, the first publicly confirmed cybersuperweapon – a digital guided missile that could emerge from cyberspace to destroy a physical target in the real world. Its target was Iran’s nuclear fuel facilities, and security experts predicted that copycat attacks on real-world industrial equipment could follow within a year or two.
Despite such concerns, DHS and FBI have concluded “there was no malicious traffic from Russia or any foreign entities, as previously reported,” Mr. Ortman's statement says. “Analysis of the incident is ongoing and additional relevant information will be released as it becomes available.”
But the DHS findings that there was nothing at all to what had seemed to be fairly specific findings in the state report were less than reassuring to Mr. Weiss. Local media reports also quoted the utility's officials saying there had been a cyberattack.
“Why would the state terrorism center put out such a definitive report to their critical infrastructure operators in Illinois,” he wonders. “That Illinois report never used one word to indicate it was preliminary or raw.... This whole thing just smells so bad, because there was way too much specificity in there to just toss it all off.”
DHS officials did confirm, however, that it and the FBI are investigating a separate suspected hack into the computer-controlled pumping system of a South Houston water treatment facility.
Computer “screenshots” of diagrams purported to be those belonging to the computer-controlled waste-treatment system in Houston were posted by a hacker calling himself “prOF” on Nov. 18 – shortly after the Illinois incident was reported by news media. The DHS had initially downplayed the suspected hacking of the Illinois facility.
“This was stupid,” prOF wrote on a message posted with the diagrams on the public website Pastebin, often used by hackers to communicate anonymously. “You know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely [messed up] the state of national infrastructure is.”
This is what prompted him to show that DHS was wrong, and that such systems were easy to hack.
“I was furious at the lack of proper government response,” prOF wrote in an e-mail exchange with Chester Wisniewski, senior security adviser at Sophos Canada, a computer security firm. “The response they gave was nothing more than ‘Nothing happened. Probably.’ When clearly something did happen.”
The hacker also indicated that, in South Houston’s case, it was a simple matter of guessing what turned out to be a three-character password – and that many water utilities in the US have both Internet-connected systems with weak protections to boot. Many cybersecurity experts agree with him.
In a global assessment last year of the cybersecurity posture of critical-infrastructure sectors such as the financial industry, electric utilities, oil and gas, and others, the water/sewage sector had the lowest rate of adopting cybersecurity measures, just 38 percent. The study was carried out by the Center for Strategic and International Studies and McAfee, the cybersecurity firm.
Default passwords and Internet connection are not good cybersecurity practice for any critical infrastructure facility, and yet discoveries in the water/sewage sector are “not uncommon,” a senior cybersecurity official with DHS told the Monitor.
Even so, he notes that forensic analysis of the Illinois case showed quite clearly that neither the Illinois water utility nor the computer-control systems vendor serving it had been hit by a foreign cyberattacker – although he did not explain why the Illinois terrorism center made such a mistake. While utilities often do not keep detailed logs adequate to tell if an intrusion has even taken place, that was not true in this case.
“My technical people on the ground say they had adequate logging, and enough detail to find out there was no intrusion,” the senior official says. “My team could not find any evidence of an intrusion.... In lots of cases, installations with control systems don’t have good logging, but here the forensics here were fairly good.”
The DHS's investigation was simply a matter of running to ground a preliminary report that turned out to be false, not unlike many other reports, he says.
“We need to underscore that the initial reporting [by Illinois terrorism center] is consistent with type of report we often get,” the senior official says. “We don't spend lot of time caveating [telling state officials to indicate weaknesses in their initial reports.] We want to make sure that any suspicions emerge to be investigated, even if they later turn out to be wrong.”