US utility sabotage

Russian hackers may have sabotaged a water pump in what’s being described as the first foreign cyber attack on US utility infrastructure, damaging both hardware and confidence in critical systems. The attack targeted a Springfield, Illinois water utility station on November 8, Reuters reports, using network credentials stolen from an industrial software developer; the pump was apparently remotely activated and burnt out, though redundant systems meant no impact was felt by residents of the town.

Nonetheless, the event is being taken seriously by the Illinois Statewide Terrorism and Intelligence Center, with the US Department of Homeland Security and the FBI both involved in the investigation. Although still early, the teams involved insist there is no cause for ongoing concern, with DHS spokesperson Peter Boogaard arguing that ”there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”

Despite those reassurances, online security specialists are already drawing parallels between the Illinois attack and the Stuxnet virus that impacted Iranian nuclear facilities in 2010. Although never acknowledged by either government, many believe that particular viral strike – which sabotaged a centrifuge used in uranium enrichment – was controlled by the US and Israel.

“Over a period of two to three months, minor glitches had been observed in remote access to the water district’s SCADA [Supervisory Control and Data Acquisition] system” security expert Joe Weiss told The Register, having acquired a copy of the Illinois report detailing the water pump hack. The “glitches” escalated to the point where the pump was power-cycled until it burnt out; since multiple pumps are used at the facility, no interruption to the water supply was observed.

Evidence of further hacking has not been observed, though it’s unclear how many remote access credentials have been stolen by those responsible. It is reportedly usual for usernames and passwords to be hard-coded to SCADA hardware, which could make a broad security refresh more difficult than with traditional enterprise systems.

This entry was posted in Uncategorized. Bookmark the permalink.

1 Response to US utility sabotage

  1. shulquist says:

    Springfield water debunked blogger Russian ip contractor w legit access.
    Mystery solved. A reported cyberattack on a water district in central Illinois turned out to be a false alarm set off when an American contractor logged onto the system remotely while vacationing in Russia.

    Jim Mimlitz of suburban St. Louis says he hopes he’ll be able to laugh about it someday. For now, the contractor is puzzled. Why didn’t terrorism investigators pick up the phone and call him? He says he could have straightened out the matter quickly.

    Instead, investigators assumed someone had stolen Mimlitz’ password and hacked into the system from Russia, causing a water pump to shut down five months later. A blogger spread word of the possible hack, touching off a minor panic.

    The truth is, Mimlitz was on vacation with his family in Russia in June. Someone from the Curran Gardner Public Water District near Springfield called his cell phone and asked him to check data on the system. He did, but he didn’t mention he was doing so from Russia.

    Months later, after the water pump failed, a repairman examining the logs saw a Russian IP address linking to the system with Mimlitz’ sign-on. The water district reported that to a state agency and the Illinois Statewide Terrorism and Intelligence Center got involved.

    The center released reports about a potential cyber compromise at the water district. The reports were meant to be initial raw reporting and not conclusive. A security consultant and blogger wrote about the reports and released the documents to reporters. The incident was reported as possibly the first successful cyberattack on the U.S. infrastructure.

    “A quick and simple phone call to me right away would have defused the whole thing immediately,” Mimlitz said. “All I did was I logged on. I tried to help. I looked at some data and gave them my advice.”

    The story of Mimlitz’ vacation was first reported by Wired magazine’s Threat Level blog. Mimlitz spoke to The Associated Press on Thursday.

    There was no immediate response to requests for comment from the Illinois State Police, which took part in the investigation. A spokesman for the U.S. Department of Homeland Security referred to the department’s previous statements saying there was “no evidence to support claims made” in the initial Illinois report “which was based on raw, unconfirmed data and subsequently leaked to the media …”

    Mimlitz has only kind words for the FBI and Department of Homeland Security investigators he met with last week for nearly four hours.

    “I was as open as I could be,” he said. “I wasn’t trying to hide anything. I was just trying to help them find the problem. Even if the end result was not going to be good for me, that wasn’t my concern. It was a very productive meeting and they were extremely sharp people.”

    Mimlitz’s company — Navionics Research in Eureka, Mo. — helped set up the system that remotely manages computers controlling machinery in the water district. Security experts have pointed out such Supervisory Control and Data Acquisition systems are vulnerable to hacking.

    “I think our system’s very secure,” Mimlitz said. “It doesn’t mean we’re not going to keep working on it.”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s