Critical Systems at Risk Despite Water Utility False Alarm
A couple weeks ago there were reports that a water utility in Illinois had been hacked—and a water pump subsequently damaged—by attackers based in Russia. A DHS investigation determined that no such hack ever occurred, but security experts warn that more still needs to be done to protect the critical infrastructure.
As it turns out, the incident with the Curran Gardner Public Water District outside of Springfield, Illinois was not a hack at all. An exclusive report from Wired.com’s Threat Level explains that Jim Mimlitz--the founder and owner of Navionics Research, the company that set up the utility’s control system--is responsible for the “suspicious” activity.
Threat Level reports that Mimlitz was on vacation in Russia with his family when the water utility called for support, and asked him to remotely log in to check out some data-history charts stored in the SCADA (Supervisory Control and Data Acquisition) system.
Mimlitz didn’t feel it was relevant to mention that he was in Russia at the time, or that he also logged in from his mobile phone while on a layover in Germany. Months later, though, when a water pump failed and the utility launched an investigation into the root cause, the Russian IP address sparked suspicion and led to some grand assumptions that the water pump failure was the result of a hack.
So, the Illinois water pump “hack” is really just a comedy of errors and false assumptions. Nothing to see here, folks.
But, just because this incident turned out to be nothing does not mean that the threat doesn’t exist, or that the systems and networks that make up the critical infrastructure of the nation are not at risk. These systems provide operational control and monitoring for manufacturing facilities, chemical plants, natural gas pipelines, hydroelectric and nuclear power plants, and more. They are high-profile targets running on legacy networks, often without proper security controls in place.
Patrick Miller, CEO of EnergySec, a DOE supported non-profit organization that helps energy sector organizations secure their critical technology infrastructures, says that municipal utilities in particular have a difficult time maintaining proper security because every penny spent must meet the approval of scrutiny from voters and politicians.
Miller says, “The biggest problem with municipalities is that they underestimate the reality of cyber security threats and their relative vulnerability due to their size. They think ‘we're too small to be a target’ or ‘we don't really have anything of value to a hacker, terrorist or organized crime ring’.”
Of course, that assumption is wrong. Regardless of the relative size of the municipal utility itself, it still serves some population base which could be a worthwhile target, and local municipalities are often connected to the larger infrastructure which makes them the low-hanging fruit which could provide a way for attackers to exploit even bigger targets.
Security is generally a second thought in computer networks, and it is often the first part of the budget to get axed. But, when it comes to the critical infrastructure the nation relies on, more needs to be done to protect it.
[Update: The article has been edited to remove a link referencing comments attributed to Michael Welch, deputy assistant director of the FBI's Cyber Division. An individual from the FBI National Press Office alerted me to the fact that the quotes in the article were misleading, and taken out of context, and should not be construed as any sort of official statement or position of the FBI.]