Remember the cries if alarm and media frenzy following reports that an Illinois water utility had been penetrated, remotely controlled and ultimately damaged by hackers whose attacks originated in Russia?
Turns out, according to an interview Wired did with the guy whose vacation in Russia set off alarm bells for both the utility and investigators, there was no attack, no pwning and no remotely controlled sabotage at the water facility.
It turns out that a contractor hired to do help set up and secure the SCADA systems took a call from the utility – Curran Gardner Public Water District outside of Springfield, Ill. – while he and his family were on vacation.
Contractors can't take a lot of time off or pass up work even if they are, so Jim Mimlitz, owner of Navionics Research logged in from where he was – in Russia – to look over the data-history charts as the client at Curran Gardner requested.
That was in June. In November, when suspicions were high about instability and possible penetration of the network, security investigators found logins from Russia highly suspicious.
Since much of the most effective commercial criminal hackery is done from or routed through nodes in Russia and other Eastern European countries, the ominous conclusion seemed obvious.
"They assumed mimlitz would never ever have been in Russia," Mimlitz told Wired, after admitting he hadn't mentioned to Currant Garden that he was on vacation or where he'd been when he logged in. "They shouldn't have assumed that."
What really happened
A water pump did burn out, which is a big deal at a water-pumping facility. And a report from the Illinois Statewide Terrorism and Intelligence Center did say someone had accessed the system from Russia and illicit access might have something to do with system instabilities and damage to the ruined water pump.
SCADA security specialist Joe Weiss from Applied Control Solutions did pass along information in the report to various media outlets,(including this one) which ran with the story after getting confirmation from the FBI and Dept. of Homeland Security that they were investigating a possible cyberattack on the utility.
It made a great story, not least because all the warnings and fear of cyberattack were entirely plausible.
Various U.S. government agencies have been warning for years about that the systems that control various bits of the U.S. civil infrastructure, SCADA apps in particular, are vulnerable to attack.
That same week, in fact, a hacker known as 'pr0f' claimed to have cracked a South Houston utility, posting evidence on Pastebin to back up the story, especially the juicy bit – that the password controlling access to the SCADA system was only three characters long.
"This was stupid," pr0f posted. " Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely F***** the state of national infrastructure is. I've also seen various people doubt the possibility an attack like this could be done."
The South Houston attack seems legitimate enough (though as a proof-of-concept demonstration, not an act of war),
Unfortunately, the Curran Gardner event turns out to have been a series of misinterpretations and partially informed assumptions – some on the part of investigators, some on the part of the media.
The water pump that burned out appears simply to have burned out from wear and age, not hackage.
Early reports from the DHS and the FBI – which issued a joint statement saying they'd found no evidence of cyberattack a week after the Nov. 10 report from the Illinois investigators – turned out to be true in the long term as well as the short.
It's not unusual in the early days of the investigation of a data breach for investigators to either hold back evidence of the attack or be unable to find it without analysis of system files that could take days or weeks.
In this case the evidence never turned up, except for the bit about the contractor who logged in to do some work from a part of the world that's under permanent suspicion of wrongdoing.
Last week DHS issued a report confirming it had found no evidence of attack and slamming conclusions of both security analysts and the media.
“There is no evidence to support claims made in the initial Fusion Center report – which was based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant,” the ICS-CERT alert states. “In addition, DHS and FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported. Analysis of the incident is ongoing and additional relevant information will be released as it becomes available.”