The U.S. Department of Homeland Security today took aim at widespread media reports about a hacking incident that led to an equipment failure at a water system in Illinois, noting there was scant evidence to support any of the key details in those stories — including involvement by Russian hackers or that the outage at the facility was the result of a cyber incident.
Last week, portions of a report titled “Public Water District Cyber Intrusion” assembled by an Illinois terrorism early warning center were published online. Media outlets quickly picked up on the described incident, calling it the “first successful target of a cyber attack on a computer of a public utility.” But in an email dispatch sent to state, local and industry officials late today, DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said that after detailed analysis, DHS and the FBI “have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois.” The ICS-CERT continued:
“There is no evidence to support claims made in the initial Fusion Center report – which was based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant,” the ICS-CERT alert states. “In addition, DHS and FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported. Analysis of the incident is ongoing and additional relevant information will be released as it becomes available.”
The statement is the most strongly worded yet from DHS refuting the alleged cyber incident in Illinois. The story broke on Nov. 17, when Joe Weiss, managing partner of Applied Control Solutions, a security consultant for the control systems industry, published a blog post about a disclosure he reported reading from a state terrorism intelligence center about a cyber intrusion into a local water plant that resulted in the burnout of a water pump. The break-in reportedly allowed intruders to manipulate the supervisory control and data acquisition system, or “SCADA” networks that let plant operators manage portions of the facility remotely over the Internet. Within hours of that post, media outlets covering the story had zeroed in on the Curran-Gardner Water District as the source of the report.
Weiss has repeatedly declined to share or publish the report, but he cited large portions of it in my story from last week. The language and details reported in it stand in stark contrast to the DHS’s version of events. According to Weiss, the report, marked sensitive but unclassified, stated:
“Sometime during the day of Nov. 8, 2011, a water district employee noticed problems with a SCADA system. An information technology service and repair company checked the computer logs of the SCADA system and determined the system had been remotely hacked into from an Internet provider address located in Russia. The SCADA system that was used by the water district was produced by a software company based in the US. It is believed the hackers had acquired unauthorized access to the software company’s database and retrieved the usernames and passwords of various SCADA systems, including the water district systems.”
“Over a period of 2-3 months, minor glitches have been observed in remote access to the water district’s SCADA system. Recently, the SCADA system would power on and off, resulting in the burnout of a water pump.”
“This network intrusion is the same method of attack recently used against the MIT Server,” the water district alert stated. “The water district’s attack and the MIT attack both had references to PHPMyAdmin in the log files of the computer systems. It is unknown at this time the number of SCADA usernames and passwords acquired from the software company’s database, and if any additional systems have been attacked as a result of this theft.”
Weiss blogged about the ICS-CERT statement, and said he can’t figure out how the two accounts could be so different. He notes that the day after his blog post, Don Craven, chairman of the Curran-Gardner Water District, was quoted on a local ABC News affiliate television interview saying that there was “some indication that there was a breach of some sort into a software program, a SCADA system, that allows remote access to the wells and the pumps and those sorts of things” (see video below).
“The real thing that bothers me is how could there be such substantial amount of information provided where a lot of it is really a simple yes or no situation,” Weiss said. “Was there a Russian [Internet] address involved or wasn’t there? The Illinois facility also said their technician had observed these abnormalities for 2-3 months. Well, either he did or he didn’t.”
The ICS-CERT communique also mentioned another alleged hacking incident of a water facility in Texas that was widely reported last week. In that incident, a hacker using the nickname “pr0f” claimed to have gained access to a water control systems plant, and posted a series of screen shots to prove his accomplishment.
Regarding the alleged hack in Texas, the ICS-CERT would only say it is still investigating:
“In a separate incident, a hacker recently claimed to have accessed an industrial control system responsible for water supply at another U.S. utility,” the ICS-CERT alert continued. “The hacker posted a series of images allegedly obtained from the system. ICS-CERT is assisting the FBI to gather more information about this incident. ICS-CERT has not received any additional reports of impacted manufacturers of ICS or other ICS related stakeholders related to these events. If DHS ICS-CERT identifies any information about possible impacts to additional entities, it will disseminate timely mitigation information as it becomes available. ICS-CERT encourages those in the industrial control systems community who suspect or detect any malicious activity against/involving control systems to contact ICS-CERT.”
My story from last week quoted Michael Assante, president and CEO of the National Board of Information Security Examiners and a former chief security officer for the North American Electric Reliability Corporation (NERC), expressing concern that initial reporting on cyber-related SCADA incidents often turns out to be inaccurate.
But Weiss said the complete reversal makes no sense, and that “something doesn’t smell right.” By way of example, he points to the fact that while media reports on the claimed hack of the Texas facility made today’s DHS Daily Infrastructure Report, the Illinois incident is noticeably absent from any of the recent editions of that report.
“What this is essentially saying is the state intelligence centers shouldn’t put anything out unless DHS approves it,” Weiss told KrebsOnSecurity. “It says either Illinois is incompetent or DHS is covering something up.”
State fusion centers, most of which were formed under a joint project between DHS and the Justice Department between 2003 and 2007, collect data from government and private sector sources. Some of the centers have produced warnings that have been a tad controversial. For example, a report in 2009 from the Virginia Fusion Center warned that certain historically black colleges were potential hubs for terror related activity, and identified hacktivism as a form of terrorism.