November 22, 2011, 8:17 AM — Here are some key questions and answers about the Nov. 8 break-in of the control network at an Illinois water utility that resulted in attackers burning out a pump.
Some of these answers are based on information from Joseph Weiss, managing partner at Applied Control Systems LLC and author of the book "Protecting Industrial Control Systems from Electronic Threat," who says he got the information from a document he's seen from the Illinois Terrorism Fusion Center, but he wouldn't say how he got it.
Someone hacked into the Curran-Gardner Water District network in Illinois and turned the supervisory control and data acquisition (SCADA) network on and off. That network controls the machines that run the water system.
Turning the system on and off in turn turned pumps on and off. The constant stopping and starting of one pump eventually burned it out.
How did the breach happen?
Hackers stole user names and passwords from the company that supplies SCADA software to the water district, including the user names and passwords of its customers. Workers at the waterworks noted glitches in the water districts remote access system for two to three months that could be related to the attack.
Who did it?
That's not certain. Traffic has been trace to an IP address at a Russian ISP, but that doesn't mean that's where the attack originated. It could have hopped from server to server before finally being forwarded from the Russian server.
Why would someone want to burn out a pump at a small water utility where the damage didn't even interrupt water service?
One theory is that the attackers were practicing in preparation for a more significant attack either at the utility or elsewhere. A counterargument is that people planning a future operation would want to keep their reconnaissance secret. Another theory is that in experimenting with what they could do to the SCADA system, they inadvertently burned out the pump. It's unclear what exactly the attackers did during the time they had access to the network. Another theory is that it was amateur hackers messing around with no real plan and they happened to ruin the pump.
Won't logs reveal what they were up to?