Security Experts:

DHS Downplays SCADA Breach at U.S. Water Utility

SCADA

DHS Downplays SCADA Breach That Destroyed Pump at Water Utility, Saying No Credible Corroborated Data at This Time

Reports on Thursday emerged that after gaining unauthorized access, hackers have destroyed a pump used by a US water utility in Springfield, Illinois. The report comes from an interview given to them by, Applied Control Solutions’ Joe Weiss, who learned of the incident from a report issued by the state’s government.

Weiss told The Register that over a period of about two to three months, the attackers targeted the pump itself or the SCADA system controlling it, and destroyed it by causing one of the two to turn on and off repeatedly. Weiss got his information from a report that was released two days after the attack was discovered.

According to what little information Weiss placed in the public, as seen here, in addition to the broken pump, it’s possible “the SCADA software vendor was hacked and customer usernames and passwords stolen...It is unknown if other water system SCADA users have been attacked.”

“The disclosure was made by a state organization, but has not been disclosed by the Water ISAC, the DHS Daily unclassified report, the ICS-CERT, etc. Consequently, none of the water utilities I have spoken to were aware of it.”

In his interview with The Register’s Dan Goodin, Weiss continued, “This is really a big deal, and what's just as big a deal is what isn't being said or isn't being done. What the hell is going on with DHS? Why aren't people being notified?”

But the DHS is aware of what’s going on, at least according to spokesman Peter Boogaard, who said they have no credible corroborated data, but they are investigating. “DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield Illinois. At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety,” he said in a prepared statement.

In a separate interview with CNET, Weiss disputed the DHS’ official stance.

Related Reading: Industrial Control Systems Security One Year After Stuxnet

Related Reading: Bridging the Air Gap: Examining Attack Vectors into Industrial Control Systems

Related Reading: Are Industrial Control Systems Secure?

Related Reading: How to Make the Smart Grid Smarter than Cyber Attackers

Related Reading: The Increasing Importance of Securing The Smart Grid

Related Reading: Stuck on Stuxnet - Are Grid Providers Prepared for Future Assaults?

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.