DHS denies report of water utility hack

The Department of Homeland Security and FBI today dismissed the conclusions of a report that a cyber intrusion caused a pump at an Illinois water utility to burn out. But the statement doesn't explain why an Illinois state terrorism intelligence center would say it was a hacker when it wasn't.

In the meantime, the DHS is investigating a claim by a hacker who goes by "pr0f" who claimed to have compromised a Texas water utility last week.

"After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois," DHS spokesman Chris Ortman said in the statement provided to CNET. "There is no evidence to support claims made in initial reports--which were based on raw, unconfirmed data and subsequently leaked to the media--that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant. In addition, DHS and FBI have concluded that there was no malicious traffic from Russia or any foreign entities, as previously reported. Analysis of the incident is ongoing and additional relevant information will be released as it becomes available."

Control systems expert Joe Weiss unearthed what appeared to be the first report of an attack on a U.S. water utility last week. According to a report titled "Public Water District Cyber Intrusion" and released in the Illinois Statewide Terrorism and Intelligence Center Daily Intelligence Notes of November 10, a pump at a water utility in Illinois burned out when a SCADA (supervisory control and data acquisition) system was repeatedly switched on and off. The report said an intruder was apparently able to get access to the SCADA system after stealing customer usernames and passwords from a SCADA vendor.

The DHS said at the time that there was "no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety." An official at Curran-Gardner Townships Public Water District near Springfield, Ill., confirmed the incident to The State Journal-Register but couldn't say what caused the pump to burn out.

Angered by the DHS response, pr0f posted images to the Internet of the SCADA system of a water utility in South Houston, Texas, as proof that he hacked into the system. He told CNET in an interview that he doesn't have a background in SCADA and that the hack was relatively easy and told ThreatPost that the utility used only a three-character password to secure its SCADA system.

Asked for comment on the latest DHS statement, Weiss said "What does this mean for disclosure when you have two government entities that appear to be so inconsistent with each other? There was not one time in the Illinois notification that the word 'preliminary' was used. There was nothing in there that indicated that there was a question mark associated with this."

Regardless of the questions surrounding these recent reports of hacks on the water industry, experts say that with all the SCADA connections to the Internet, some of which can be found on Google, and the fact that legacy systems were not designed to be accessed online or designed with security in mind, it's not farfetched to think that hackers may be testing the critical infrastructure waters, so to speak. And the nation's smaller utilities are more susceptible to security issues given their lack of security expertise and resources.

If so, what does that mean for the millions of Americans who turn on the tap to get a glass of water?

The major concern with cyber attacks on water systems is not pollution but interfering with the supply, according to several experts CNET interviewed.

"This isn't a poison problem," Weiss said today. "It's a capacity problem more than anything."

So, what exactly can happen when SCADA systems are connected to the Internet and someone finds a way in?

Well, software can be used to modify programmable logic controllers (PLCs), which are used to automate mechanical devices in utilities and other industrial control environments. And PLCs are known to use hard-coded passwords that aren't easily changed in the event of a compromise. For instance, a sophisticated piece of malware dubbed Stuxnet surfaced last year, spreading via holes in Windows and targeted computers running Siemens industrial control software. Experts believe it was created to destroy equipment--by increasing and decreasing the speed of a motor--in the hopes of ultimately sabotaging Iran's nuclear program.

"If you take control of the SCADA system you can do what you want, like start turning pumps on and off," said Weiss. "SCADA is called the 'master station' for a reason."

In a water utility, similar cyber tweaking could snap shafts, destroy couplings, and sheer bolts--all things that could result in damage to equipment, said a design engineer at a large U.S. water utility who asked not to be named. If too much water is forced through the pipes at once, a pipeline could explode, potentially harming people in the vicinity and disrupting the entire system, he said.

"They could slam a valve shut. You've got to close them slowly to avoid setting up a shockwave that works like a water hammer in the system," the engineer said. "If you send a command to more than one pump and there is a blockage somewhere, you can stress a pipeline until the water makes a hole in it."

Not only would supplies be affected, but a disruption would require more staff to fix the problem than facilities might have. "SCADA systems enable us to staff down and we've taken advantage of that," the engineer said. "If a hacker gets into the system we can operate the system for eight hours, at which point someone needs to go to sleep and then what do you do?"

Breaking pipes and potentially cutting off water to communities is the concern for the engineer, not pollution, particularly given the amount of water that goes through a system, which is typically 100 gallons per person per day, for instance.

"We chlorinate the water so any pollutant would need to be inorganic to survive the chlorine," he said. "You'd practically have to bring your poison out there in a tanker truck."

However, it's a different story for waste water treatment plants. In a case attributed to operator error, poor design, and a malfunction--but not hackers--a treatment plant in Arizona released TCE (trichloroethylene), an industrial solvent believed to cause cancer, from a Superfund cleanup site into the water supply in 2008. As a result, nearly 5,000 people couldn't drink the tap water for three days.

Water and waste water or sewage facilities were found to be lagging other sectors in adoption of security measures, according to a McAfee report issued last year. (PDF)

"It is really no more difficult to attack a SCADA network or system than it is to attack any other system. It just takes time, certain types of knowledge, and dedicated resources for developing the attack-same as any other attack vector or target," David Marcus, director of security research for McAfee Labs, wrote in a blog post late last week. "Certainly we may see more SCADA-based or SCADA-focused attacks in the future. Attackers tend to target systems that can be successfully compromised, and recent history has shown that these systems are at least as vulnerable as other types of networked systems."

Marcus writes that his gut tells him that "there is greater targeting and wider compromise than we know about," which other experts believe too. That's because the critical infrastructure industry lacks the forensics that corporations who have information technology infrastructure, so utilities may not know they have been compromised.

The industry is woefully unprepared to deal with cyber attacks, experts agree.

"What's it going to take for people to actually start doing something" to protect against that, asked Joel Langill, ICS (industrial control systems) security specialist who runs the Scadahacker.com blog. "Most sectors aren't doing anything because they aren't being mandated to do it."