The Illinois Statewide Terrorism and Intelligence Center revealed last week that earlier this month a hacker shut down a pump at a central Illinois water utility serving 2,200 customers. The event is a stark reminder of the vulnerability of our critical infrastructure, most of which is operated via remote software called SCADA, to cyber attack.
The attack, which appears to have originated in Russia, seems to be the first foreign cyber attack on US critical infrastructure. The event highlights the double edged nature of an increasingly automated water distribution infrastructure: on the one hand, advanced SCADA systems have increased operational efficiency; on the other, public health and safety is at risk to cyber attacks.
The water utility in question has not been named, only described as a small rural utility in central Illinois. The attackers gained access to the utility's system by lifting passwords from a SCADA software development company, and began cycling a water pump off and on until it failed, on November 8. Back up pumps activated automatically, preventing disruption of water service.
The FBI and Department of Homeland Security are investigating the incident. A bit absurdly, DHS has downplayed the attack, stating that 'there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.' This notion did not sit well with a hacker called Prof, who posted on Pastebin a scathing rebuke of what he considers the malaise with which the DHS is responding to the event and critical infrastructure protection in general. He writes: "I dislike, immensely, how the DHS tend to downplay how absolutely f***** the state of national infrastructure is."
To prove the vulnerability of SCADA systems and twist the proverbial blad, he claimed to have accessed the South Houston Wastewater Department's SCADA system, posting screen shots of the software program to prove it. In a final twist, he says that the hack required 'no skill' and could be 'reproduced by a two year old.' The FBI and DHS are now also investigating this incident, the purpose of which, Prof claims, is to simply prove a point, not cause harm.
Representative Jim Langevin (D-R.I.), co-founder of the House Congressional Cybersecurity Caucus co-founder Jim Langevin (D-R.I.), and Prof are on the same page when it comes to their distaste for the seemingly lackadasical approach to combating cyber attacks at critical infrastructure facilities.
To The Hill, Rep. Langevin stated: "I'm greatly concerned about security of our critical infrastructure and its vulnerability to a cyber attack.....We have a lot of work to do and I don't think that the owners and operators of the electric grid in particular or water and sewer treatment plants are taking this threat seriously enough. But the potential attack that took place in Springfield, Illinois, should be a real wake-up call."
Rep. Langevin, in 2010, introduced a bill that would have created a National Office for Cyberspace which would 'oversee the security of agency information systems and infrastructure'. The bill passed the House but floundered in the Sentate. The EPA, who is tasked with the protection of water and wastewater infrastructure as the hauntingly Orwellian sounding Homeland Safety Presidential Directive 7, should be particularly interested in the goings on.
The embattled agency, which is likely seeing its budget cut, oversees the enforcement of various Homeland Security Directives applicable to water utilities as well as the Bioterrorism Act of 2002, which requires water utilities to prepare vulnerability assessments and develop plans to mitigate or prevent emergencies. As part of its responsibilities, EPA is required to develop what's known as a Sector Specific Plan for protecting the nation's water and wastewater infrastructure.
The latest version, published in 2010, mentions the development of a plan, called the Cybersecurity Roadmap, to enhance cybersecurity related to water and wastewater infrastructure. The Sector Specific Plan blandly states that the 'Water Sector is following the path laid out by Cybersecurity Roadmap', pointing out that several cycbersecurity workshops have been held. Workshops, however, do not make a secure SCADA infrastructure.
The incidents in Illinois and Texas should stimulate renewed focus on these cybersecurity efforts. Cyberattacks, after all, will likely grow, particularly as more systems become more automated. A key piece will be ensuring security alongside operational efficiency. Workshops may not be enough to ensure this happens. The release of the Stuxnet virus on Iranian nuclear infrastructure earlier this year, which has been linked to the US, stoked anxiety about retribution. Foreign attackers, emboldened by the use of cyber weapons by the US, would fight fire with fire and begin attacking US infrastructure. It appears this fear has come true, and the events of late indicate water is a prime and vulnerable target.