Intruders compromised a water utility network last week and destroyed a pump, according to a state government report cited by a critical infrastructure security expert today.
It appears that hackers breached the network of a company that makes SCADA (supervisory control and data acquisition) and stole customer usernames and passwords, said Joe Weiss, managing partner of Applied Control Solutions. "There was damage--the SCADA system was powered on and off, burning out a water pump," he wrote in a brief blog post.
The report did not identify the water utility attacked or the SCADA software vendor compromised, Weiss said in an interview with CNET. He declined to say where the utility is based because the report, released by a state terrorism information center, is marked "For Official Use Only." However, a Department of Homeland Security representative indicated the facility was located in Springfield, Ill.
"It is unknown, at this time, the number of SCADA usernames and passwords acquired from the software company's database and if any additional SCADA systems have been attacked as a result of this theft," he said, reading from a report entitled "Public Water District Cyber Intrusion." It was released November 10, two days after the water utility attack was discovered, he said.
"This is a really big deal," said Weiss, an industry provocateur who pushes for stronger security practices and better disclosure in the industry. The incident has not been disclosed by the Department of Homeland Security's ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) or any other officials, he said, adding "What are we doing with disclosure?"
The DHS said in a statement to CNET that it was investigating the incident but declined to comment on whether a security breach had occurred.
"DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield Ill.," DHS spokesman Peter Boogaard said in a statement. "At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety."
Weiss disputed this statement.
"The statement is inconsistent with the report from the Illinois Statewide Terrorism and Intelligence Center Daily Intelligence Notes dated November 10, 2011, titled 'Public Water District Cyber Intrusion,'" he said.
The water utility had noticed minor glitches in the remote access to the SCADA system for two to three months before it was identified as a cyber attack, Weiss said. This is similar to the 2000 hacking (PDF) in Queensland, Australia, in which a wastewater treatment plant failed to notice dozens of attempts to access the system. Using wireless radio and stolen control software, a consultant on the project who was angry over not getting a job was eventually able to get in and release up to one million liters of sewage into the river and coastal areas, killing marine life and turning a creek black.
"We don't have cyber forensics, so when they see (issues) they don't think it's a cyber problem. They just think it's a glitch in the system," Weiss said. "Why won't we have a cyber Pearl Harbor? Because we won't know it."
Weiss could not say how the SCADA vendor was breached, but speculated that programmable logic controllers (PLCs) were involved in the attacks. "I would be surprised if it didn't," he said. "This is a water utility and they are very dependent on PLCs."
The Stuxnet attack of last year, which is believed to have been the first computer attack targeting critical infrastructure systems, targeted PLCs from Siemens. PLCs are used to automate mechanical devices in utilities, power plants, and other industrial control environments. They are known to use hard-coded passwords that can not be easily changed in the event of a compromise.
Weiss also said the report indicated that the IP address used in the water utility attack was traced back to Russia. However, that doesn't mean the attack was launched from there because tracks of hackers can so easily be hidden and made to look like they originated elsewhere.
Utilities and energy companies would be attractive targets for hackers wanting to cause damage to a community, but it's unclear who is behind the attack.
While reports of utilities being hacked are rare, experts say the incidents that make the news are likely only the tip of the iceberg of what is really happening. For instance, Weiss said he came across news of a previously undisclosed SCADA system breach of a Southern California water department in a posting on LinkedIn in February.
Updated at 8:45 p.m. PT with DHS comment.
Update 3:42 p.m. PT November 18: An official at Curran-Gardner Townships Public Water District near Springfield, Illinois, told The State Journal-Register newspaper that the incident occurred at their water facility. "Whether the burnout of that pump was related to this what might or might not have been a hacking, we don't know," Don Craven, a water district trustee, is quoted as saying. Officials there did not return a call from CNET seeking comment early today.