By Mike M. Ahlers
Federal officials confirmed they are investigating whether a cyber attack may have been responsible for the failure of a water pump at a public water district in Illinois last week. But they cautioned that no conclusions had been reached, and they disputed one cyber security expert's statements that other utilities are vulnerable to a similar attack.
Joe Weiss, a noted cyber security expert, disclosed the possible cyber attack on his blog Thursday. Weiss said he had obtained a state government report, dated Nov. 10 and titled "Public Water District Cyber Intrusion," which gave details of the alleged cyber attack culminating in the "burn out of a water pump."
Such an attack would be noteworthy because, while cyber attacks on businesses are commonplace, attacks that penetrate industrial control systems and intentionally destroy equipment are virtually unknown in the U.S.
According to Weiss, the report says water district workers noted "glitches" in the systems for about two months. On Nov. 8, a water district employee noticed problems with the industrial control systems, and a computer repair company checked logs and determined that the computer had been hacked.
Weiss said the report says the cyber attacker hacked into the water utility using passwords stolen from a control system vendor, and that he had stolen other user names and passwords. Weiss said the Department of Homeland Security has an obligation to inform industry about the "water pump" attack so they could protect themselves from similar assaults.
But a DHS spokesman said the cause of the water pump failure is unknown. The DHS and FBI are "gathering facts," DHS spokesman Peter Boogaard said in a statement. "At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety," he said.
If DHS identifies any useful information about possible impacts to additional entities, it will disseminate it as it becomes available, Boogaard said.
And another computer expert familiar with the incident said the government was acting properly.
"This is just one of many events that occur almost on a weekly basis," said Sean McGurk, former director of the National Cybersecurity and Communications Integration Center. "While it may be nice to speculate that it was caused by a nation-state or actor, it may be the unintended consequence of maintenance," he said.
DHS does not have the luxury of jumping to conclusions, McGurk said. "The department has to ensure that they're sharing information in a way that's valuable to the community," he said.
McGurk also said the state report may be in error, especially if the writer was not a water or control systems engineer. "We see that all the time - initial reports that turn out to be wrong," he said.
Weiss, a frequent critic of DHS, said he was revealing details of the state document because he believes other utilities should be aware of the incident so they could take precautions. DHS should have distributed information about the attack through several entities set up to share information, as well as to private industry groups.
Weiss declined to identify the state - or the region - where the water utility was located, saying the report was marked "For Official Use Only."
But in its statement, the DHS said the water system was located in Springfield, Ill.