FAQ: An update on the Illinois water district non-hack

After initial reports of a SCADA attack were debunked, questions remain

As it turns out, reports that Russian hackers broke into the Curran-Gardner Water District network in Illinois with usernames and passwords stolen from a consultant to the district and then accessed its control system to burn out a pump, are not true.

The pump in question was not turned on and off on command from the control platform that oversees it until it overheated and failed, it now appears.

The incident last month was also not the first known case of a cyberattack against U.S. critical infrastructure launched from a foreign power as it was initially touted.

ANALYSIS: America's critical infrastructure security response system is broken

IN PICTURES: The year in security mischief-making

So what did happen and how did the story get so out of hand? Here are some questions and answers to shed some light. The answers are based on original reporting and published reports.

So what did happen?

A pump burned out in the Curran-Gardner Water District infrastructure sometime around the beginning of November. In trying to figure out why it burned out, a consultant noted that about four months earlier someone had accessed the district's supervisory control and data acquisition (SCADA) network from a Russian IP address. The username and password of a SCADA consultant the district contracts with was used to gain entry.

The SCADA consultant whose username and password were used actually did access the system from Russia in June while his family was on vacation, according to a Wired interview with the SCADA consultant Jim Mimlitz, owner of Navionics Research. He says he was doing so in response to a request from Curran-Gardner to examine historical data housed on machine hosting the SCADA software.

A different consultant asked in November to look into the cause of the pump failure noted the log entry from when Mimlitz accessed the system in June. Water district officials reported the incident to the Environmental Protection Agency as a precaution.

What's the big deal?

The report of the pump failure and the access from the Russian IP address made its way to the Illinois Statewide Terrorism & Intelligence Center (STIC), which issued a Nov. 10 report describing the incident in alarming terms. The report "Public Water District Cyber Intrusion" says the water district's network was hacked from a Russian IP address. It was believed, the report says, that the hackers had gained access to legitimate usernames and passwords from the consultant who sold the district its SCADA software (that is, Navionics). Those stolen credentials included usernames and passwords of other clients of the SCADA software integrator, the report says.

For the two or three months leading up to the pump failure, the report says, glitches were observed in the remote access system to the SCADA network. Whoever hacked into the SCADA network cycled the power on and off to the pump in question, resulting in the pump burning out, according to the Illinois STIC report.

Isn't that serious?

It seems so. One recipient of the Illinois STIC report showed it to its SCADA consultant, Joe Weiss. Weiss says he thought the report contains information that ought to have been widely disseminated among water authorities, yet no word of the hack was coming out of official channels. After a week or so, he decided to leak the report to the press, initially the Washington Post, which ran a story under the headline, "Foreign hackers targeted U.S. water plant in apparent malicious cyber attack, expert says."

Other outlets picked up the story, identifying the attack as the first successful hack to cause damage to U.S. critical infrastructure launched from a foreign country.

How did the U.S. react?

The Department of Homeland Security's (DHS) Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT) issued a statement saying it could not corroborate the report from Illinois STIC, also known as the Illinois Fusion Center: "There is no evidence to support claims made in the initial Fusion Center report -- which was based on raw, unconfirmed data and subsequently leaked to the media -- that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant. In addition, DHS and FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported. Analysis of the incident is ongoing and additional relevant information will be released as it becomes available."

Why did Illinois STIC send out a report based on raw, unconfirmed data?

That's being reviewed internally, says Monique Bond, a spokeswoman for Illinois STIC. The review seeks how the information was passed on until it became public, she says, and what the status of the information was -- for example, was it raw intelligence or actionable information?

Where did the information in the report come from?

DHS, Bond says.

Wait, didn't DHS say there's no evidence to support the Illinois STIC report?

That's right, but apparently the initial report was before DHS investigated thoroughly.

Why did Illinois STIC send out such an alarming notice without checking it out?

That's something else Bond says the internal review is looking into.

What is a STIC anyway?

STICs are collaborative groups that include state police, FBI, DHS and other pertinent agencies that pool information trying to spot malicious activity and stop it. Each one -- there's more than 70 of them -- sets up its own procedures.

Was the initial STIC report secret?

It was marked unclassified and sent to a limited list of people.

So what's with Joe Weiss spreading it around?

Weiss says that if the information was worth sending out at all, it was worth sending out broadly and as soon as possible to people who might benefit from it. After all, if user credentials protecting public water supplies had been compromised or if a foreign power was starting to attack critical infrastructure, it would be important for potential targets to know about it. For example, other water districts using the same SCADA integrator would want to know their usernames and passwords might have been stolen. He says he waited days for a follow-up report or broader notification through conventional channels, but none came. He took it upon himself to spread the word via the press.

Copyright © 2011 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022