Infrastructure protectionDHS: Hackers did not cause Illinois water pump to fail

Published 28 November 2011

Cybersecurity experts and critical infrastructure operators can rest a bit easier now that DHS investigators have determined there is nothing to suggest that hackers caused a water pump to fail in Springfield, Illinois

Cybersecurity experts and critical infrastructure operators can rest a bit easier now that DHS investigators have determined there is nothing to suggest that hackers caused a water pump to fail in Springfield, Illinois.

For the past two weeks, cybersecurity experts and officials have been in a state of panic after initial reports indicated malicious actors had taken control of the Curran-Gardner Public Water District’s industrial control system and caused physical damage in a Stuxnet-like attack.

Chris Ortman, a spokesman for DHS, set the record state citing a thorough investigation by the FBI into the events at the utility.

There is no evidence to support claims made in initial reports — which were based on raw, unconfirmed data and subsequently leaked to the media — that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant,” Ortman said. “In addition, DHS and FBI have concluded that there was no malicious traffic from Russia or any foreign entities, as previously reported.”

In contrast, the initial report by the Illinois Statewide Terrorism and Intelligence Center concluded that hackers had destroyed the pump after gaining access to the utility’s supervisory control and data acquisition (SCADA) system.

Joseph Weiss, a SCADA security expert, obtained a copy of the preliminary report and revealed its contents to several media outlets.

Weiss said according to the initial report the pump was destroyed when hackers instructed it to cycle on and off repeatedly. The attackers reportedly gained access to the system through stolen passwords from the water utility’s SCADA vendor.

In addition, Weiss said the report noted that the attacks had been carried out by someone using a computer with an IP address based in Russia.

Following Weiss’s statements to the media, DHS said that it was investigating the pump failure and needed time to determine if the failure was in fact caused by a cyberattack.

An anonymous DHS source told Computer World, that the Illinois state agency had released two “Unclassified/For Official Use Only” documents about the incident, but the reports were inconclusive and only contained an initial report on the pump’s failure.

Patrick Miller, the president of the Energy Sector Security Consortium (EnergySec), said even though DHS may have determined that the Illinois water pump’s failure was not the result of hackers, the threat to critical infrastructure and SCADA systems remains a serious concern.  

There is a lot of older equipment used in industrial control systems in both water and energy industries,” Miller said. “These older systems were not designed to include security and they are not easy to upgrade so they are very vulnerable.”