IL water system pump failure not cyber attack
New reports on Nov. 28 backed initial DHS skepticism that the failure of a pump at an Illinois water utility was a foreign cyber attack on the system’s supervisory control and acquisition system.
The Washington Post reported on Nov. 28 that the failure of a water pump was the result of an error by one of the utility’s contractors who was travelling in Russia at the time and accessing the SCADA system remotely. The report backs earlier conclusions by DHS cyber security teams that the failure of the pump at Curran-Gardner Public Water District in Springfield, IL, wasn’t the work of Russian cyber criminals or agents.
The pump’s failure in early November was widely reported to have been the first successful cyber attack on a physical facility. The pump was instructed electronically to cycle on and off repeatedly, which burned it out.
The Illinois Statewide Terrorism & Intelligence Center (STIC) had issued a report on the incident in its Nov. 10 Daily Intelligence Notes titled “Public Water District Cyber Intrusion” that detailed initial findings of anomalous behavior in a SCADA system at a Central Illinois public water district. The report also alleged a malicious cyber intrusion from an IP address located in Russia that caused the SCADA system to power on and off, resulting in the burn out.
The Department of Homeland Security’s Industrial Control Systems- Cyber Emergency Response Team (ICS-CERT) said in a Nov. 23 post on its website that the suspicion of a cyber attack wasn’t supported. It said initial analysis of log files couldn’t validate any evidence to support the assertion that a cyber intrusion had occurred.
ICS-CERT said it reached out to Curran-Gardner Public Water District, to gather detailed information and offer support and analytics to uncover what caused the pump to fail, but said there still wasn’t evidence of a cyber attack.
“After detailed analysis of all available data, ICS-CERT and the FBI found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District,” it said. To reach that conclusion, ICS-CERT and the FBI deployed fly-away teams to interview personnel, perform physical inspections, and collect logs and artifacts for analysis.
“In addition, there is no evidence to support claims made in the initial Illinois STIC report – which was based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant,” it said. “In addition, DHS and the FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported,” it said.