A pump at a public water utility in Springfield, Ill., was recently destroyed after cyberattackers gained access to a SCADA system controlling the device, according to a security expert who said he obtained an official report about the incident.
A spokesman from the U.S. Department of Homeland Security (DHS) today confirmed the pump incident, but said it's too soon to say whether it was the result of a cyberattack.
"DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield Illinois," Peter Boogaard, deputy press secretary at the DHS, said in an emailed statement. "At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety."
Meanwhile, in a separate case, a hacker named "pr0f" earlier today posted several images on Pastebin purporting to show access to a "really insecure" Supervisory Control and Data Acquisition (SCADA) system at the city of South Houston.
The posting was prompted by what the hacker claimed was the DHS's attempts to downplay the Springfield incident. "This was stupid," pr0f wrote in a note on Pastebin. "I dislike, immensely, how the DHS tend to downplay how absolutely f**** the state of national infrastructure is," the hacker wrote.
The hacker claimed that no damage was done to any of the machinery. "I don't really like mindless vandalism. It's stupid and silly," pr0f wrote. "On the other hand, so is connecting interfaces to your SCADA machinery to the Internet." The hacker said the Houston hack required no skill "and could be reproduced by a two year old."
It was not possible to immediately verify any of pr0f's claims.
Joseph Weiss, managing partner at Applied Control Systems LLC and author of the book Protecting Industrial Control Systems from Electronic Threat said that the pump failure in Springfield occurred on Nov. 8.
The pump burned out after the SCADA system controlling it began to power off and on intermittently, said Weiss, citing the incident report he obtained titled "Public Water District Cyber Intrusion."
Employees had reported "minor" glitches with the remote access component of the compromised SCADA system for between two and three months prior to the pump failure, Weiss said. An investigation into the cause of the failure showed that the SCADA system had been improperly accessed by someone using a computer with an IP address based in Russia, he said.
The attackers are thought to have obtained the usernames and passwords to the system by first breaking into a computer belonging to the utility's SCADA software vendor. SCADA vendors often maintain a list of usernames and passwords for accessing systems at customer locations for support purposes. Anyone with those credentials can gain access to the customer system, which is what appears to have happened here.
"It is believed the SCADA software vendor was hacked and customer usernames and passwords stolen," Weiss said in a blog post. It is possible that the attackers gained access to the login credentials of other SCADA users as well, but it is unclear whether any other utility has been attacked, he said.
Weiss, whose book documents similar attacks around the world, said the DHS needs to do more to warn other utilities of the attack.
"The disclosure was made by a state organization, but has not been disclosed by the Water ISAC, the DHS Daily unclassified report, the ICS-CERT, etc." he blogged. "Consequently, none of the water utilities I have spoken to were aware of [the Springfield incident]."
A source close to DHS today noted that the agency has not traditionally shied away from sharing information about cyber incidents with all stakeholders. In this case, law enforcement is still investigating the cause of the pump failure so the agency has not yet been able to confirm that it was caused by a cyberattack, he said.
News of the attack comes just weeks after the discovery of the Duqu Trojan. Duqu is specifically designed to steal information from vendors of SCADA systems. Security vendors believe that the malware is being used to gather information so hackers can craft another Stuxnet-like worm like the one used to disrupt operations at Iran's Natanz nuclear facility last year.
When Duqu was discovered, some control system security experts worried it might be used to steal customer login credentials from SCADA vendors.
There is nothing to indicate any connection between Duqu and the incident at Springfield.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.