In a statement issued Wednesday, DHS spokesman Chris Ortman said his agency and the FBI have completed a detailed analysis of the pump failure at the Curran-Gardner Public Water District in Springfield.
“There is no evidence to support claims made in initial reports — which were based on raw, unconfirmed data and subsequently leaked to the media — that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant,” Ortman said. “In addition, DHS and FBI have concluded that there was no malicious traffic from Russia or any foreign entities, as previously reported.”
The DHS analysis appears to be at odds with an initial report on the incident released by the Illinois Statewide Terrorism and Intelligence Center. A copy of the report was obtained by SCADA (supervisory control and data acquisition) security expert Joseph Weiss, who then disclosed its contents to several media outlets.
According to Weiss, the initial report said the pump was destroyed after cyberattackers gained access to a SCADA system controlling the pump and caused it cycle on and off intermittently. The attackers apparently had gained access to the system by stealing login credentials from the SCADA vendor who had supplied it to the water utility.
Weiss also noted that the attack appeared to have been carried out by someone using a computer with an IP address based in Russia.
In response to Weiss’ disclosure, the DHS acknowledged the pump failure but said it needed time to determine whether the failure had been caused by a cyberattack.
A DHS source speaking on background today said the Illinois state agency had released two “Unclassified/For Official Use Only” documents relating to a potential cyber compromise at the Curran-Gardner facility. The reports were not conclusive and were only an initial raw report on the pump failure.
Copies of the initial reports were made available to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) on Nov. 16. An initial ICS-CERT evaluation of the system log file that was provided by the state center showed no evidence of a cyberattack.
The DHS official described the utility company’s SCADA vendor as a small regional integrator of custom control systems for rural water utilities. At the invitation of the vendor, the ICS-CERT last Sunday sent a team to gather additional forensic data to see whether it could identify the cause of the pump failure. The DHS will release more information as it becomes available, but for the moment has no specific recommendations for water utilities other than to follow standard best practices.
Weiss’ disclosure of the alleged cyberattack garnered widespread attention and resurfaced longstanding concerns about the vulnerability of U.S. critical infrastructure to targeted threats.
In response to the DHS statement, Patrick Miller, president of the Energy Sector Security Consortium (EnergySec), a Department of Energy supported non-profit, today said the threat to critical infrastructures continues to be real. “There is a lot of older equipment used in industrial control systems in both water and energy industries,” Miller said in an emailed statement. “These older systems were not designed to include security and they are not easy to upgrade so they are very vulnerable.”