While nobody's willing to say whether a burned out pump at an Illinois water authority is the result of a cyberattack, the big issue remains that nobody can say that it wasn't, according to experts.
"Whether it happened or not, there's a reality that it can happen," says Michael Arceneaux, managing director of WaterISAC, a national clearinghouse and alert system for water and wastewater system security.
And nobody seems to be doing much about it.
The overriding weakness of these supervisory control and data acquisition (SCADA) systems is that they are ultimately connected to the Internet, says Ira Winkler, a penetration-testing consultant who for years has been making public calls for better SCADA security. The systems were originally set up to be isolated, but as businesses and utilities using them grew they connected to their enterprise networks, which in turn connected to the Internet.
That means if attackers can hack into the enterprise network, from there they can hack into the SCADA network. "I don't know why this is acceptable," Winkler says. "It's devastatingly stupid."
The underlying problem is that there are no regulations that force owners of these networks to secure them. There are guidelines and recommendations and voluntary standards, but nothing with legal bite, he says, that can issue penalties for failing to comply.
In general, the security of networks like the one that may have been hacked at the Curran-Gardner Water District lacks the protections and forensics that are standard in most corporate networks, says Joseph Weiss, managing partner at Applied Control Systems LLC and author of the book "Protecting Industrial Control Systems from Electronic Threat." He is also the one who made the Curran-Gardner incident public in a blog post last week.
Weiss is concerned that the Department of Homeland Security hasn't identified the Illinois incident as a cyberattack despite its being called such by the Illinois Terrorism Fusion Center, an anti-terrorism agency coordinated by the Illinois State Police. He feels that the word should get out so other water authorities can be on the alert.
Arceneaux says his group has issued an advisory to its members, but doesn't call it a cyberattack because it has no direct knowledge of what happened. "We go by what the FBI And DHS made available," he says, and they have said nothing conclusive.
"From what they had, there may have been some strange things going on this summer with their SCADA system," he says, "then the pump fails." But there is no evidence linking the two; they may be coincidence, he says.
Weiss says he's seen a document from the Illinois Terrorism Fusion Center that says user names and passwords were stolen from the SCADA consultant to the Curran-Gardner water district. The district noted what are referred to as glitches in its remote access system over the past few months.
Then earlier this month, someone accessing the network from a Russian IP address managed to turn the SCADA system on and off, which also turned the pump on and off, which resulted in its failure, he says.
His guess is that the attackers weren't trying to destroy the pump, but were rather just experimenting with what capabilities they had and in doing so ruined the pump. Perhaps their efforts were preparation for a larger attack, he says.
Winkler agrees that destroying the pump was probably inadvertent because if the attackers were preparing for a larger attack later, they wouldn't want to cause damage that would reveal they had the ability to do so.
And he leaves open the possibility that the attackers were on a lark, breaking in just to see whether they could and then poking around once they did.
Winkler says the Russian IP address doesn't offer much in the way of identifying who is responsible for the attack. Using a Russian server as a relay is just good hacking practice to help hide where the hacker is really located since Russian officials are reluctant to help out in cyber investigations. "If you're going to hack, take the basic steps to cover your tracks," he says.
Read more about wide area network in Network World's Wide Area Network section.