FAQ: What You Should Know About Illinois Water-District SCADA Breach

Here are some key questions and answers about the Nov. 8 break-in of the control network at an Illinois water utility that resulted in attackers burning out a pump.

Some of these answers are based on information from Joseph Weiss, managing partner at Applied Control Systems LLC and author of the book "Protecting Industrial Control Systems from Electronic Threat," who says he got the information from a document he's seen from the Illinois Terrorism Fusion Center, but he wouldn't say how he got it.

BACKGROUND: Apparent cyberattack destroys pump at Ill. water utility

What happened?

Someone hacked into the Curran-Gardner Water District network in Illinois and turned the supervisory control and data acquisition (SCADA) network on and off. That network controls the machines that run the water system.

Turning the system on and off in turn turned pumps on and off. The constant stopping and starting of one pump eventually burned it out.

How did the breach happen?

Hackers stole user names and passwords from the company that supplies SCADA software to the water district, including the user names and passwords of its customers. Workers at the waterworks noted glitches in the water districts remote access system for two to three months that could be related to the attack.

Who did it?

That's not certain. Traffic has been trace to an IP address at a Russian ISP, but that doesn't mean that's where the attack originated. It could have hopped from server to server before finally being forwarded from the Russian server.

Why would someone want to burn out a pump at a small water utility where the damage didn't even interrupt water service?

One theory is that the attackers were practicing in preparation for a more significant attack either at the utility or elsewhere. A counterargument is that people planning a future operation would want to keep their reconnaissance secret. Another theory is that in experimenting with what they could do to the SCADA system, they inadvertently burned out the pump. It's unclear what exactly the attackers did during the time they had access to the network. Another theory is that it was amateur hackers messing around with no real plan and they happened to ruin the pump.

Won't logs reveal what they were up to?

Probably not. Logs in SCADA networks keep track of what physically happens to devices, but usually not what goes on within the SCADA system itself. There may be some forensics within the underlying operating systems -- generally Unix and Windows -- that will shed some light.

What do the authorities say?

The Department of Homeland Security says it and the FBI are gathering facts about the case. DHS says there's no indication of risk to public safety or critical infrastructure.

Read more about wide area network in Network World's Wide Area Network section.

Copyright © 2011 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022