Earlier this month, government and IT security eyes were glued to news that foreign hackers infiltrated an Illinois utilities system and caused a water plant’s pump to fail. According to The Washington Post, if the breach was confirmed, it would be the first one known to hit a system that supplies the country with water and electricity.
The media blitz was massive and details came fast.
Security blogger Joe Weiss claimed that the culprits gained access through a software vendor that contracted with the utility. Whoever was responsible gained user name and password information from the vendor system and used that information to access Illinois’ supervisory control and data acquisition (SCADA) system and wreak havoc. The IP address of the attack was traced to Russia, according to a report from the Illinois Statewide Terrorism and Intelligence Center. Federal officials said they were investigating the attack but that no conclusions had been made.
But the federal government wasn’t able to produce evidence to support the Illinois fusion center’s claims. "After detailed analysis, DHS and the FBI have found no evidence of a cyberintrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Ill.," a DHS spokesman said in a statement on Nov. 22.
But that doesn’t mean everyone has been quick to write the possible cyberintrusion off. On Monday, Nov. 28, Time reported that there has been skepticism from its readers, and that the federal government claimed from the beginning that the report had no corroborated data. Yet, on Nov. 18, an ABC affiliate claimed that the attack occurred in a small water district near Springfield.
Don Craver, chairman of the Curran-Gardner Water District, told the affiliate, “There's some indication there was a breach of some sort into a software program — the SCADA system — that allows remote access to the wells, and the pumps, and those sorts of things.”
Government Technology spoke with representatives from security vendors who weighed in on the seriousness of the issue and what can be done to protect critical infrastructure systems.
“You have to ask the bigger question of, why was the company in possession of the credentials that let [hackers] get into the backdoor?” said Andrew Brandt, director of threat research for Solera Networks. “Why did the software company need to be able to act as the back end of all of these distributions of their product?”
Brandt couldn’t say if the breach was a case of the vendor not following proper security protocols or if the cyberattack was so good that it wouldn’t have mattered how secure the vendor network was. But in any case, the utilities software community may be behind others in terms of cybersecurity.
“What we’re finding is that, in a lot of circumstances, companies that are not in that space suddenly have to quickly get up to speed,” Brandt said.
Mike Geide, senior security researcher at Zscaler ThreatLabz, said that this breach, like all others, could’ve been a case of criminals going after low-hanging fruit. But if SCADA systems are uniquely vulnerable, that’s a big problem.
“This is not only a wake-up call for the security industry, but a further wake-up call for attackers to say, ‘Hey, we really need to focus more energy on low-hanging fruit, such as SCADA systems,’” Geide said.
One way to protect critical infrastructure systems like public utilities is to ask whether the system in question must be connected to the Internet, and if so, how connected. Geide advocates for a least-privilege scenario, in which access to the system is only given to those who need it.
“There probably isn’t a need for it to be publicly accessibly from anybody on the Internet,” he said. “It can probably be severely limited [or] removed from the Internet in the first place if it doesn’t even need to be there.”
Brandt echoed his sentiments. “For these critical infrastructure systems, they need to be not connected to the Internet unless they have proper safeguards,” he said. But Brandt admitted that there was no evidence that the entities in Illinois didn’t have proper safeguards in place.
Yet regardless, Brandt knows that IT professionals don’t always monitor attack vectors the way they should — and that problem’s not industry-specific. “As is the case in a lot of circumstances with a lot of industries and not just with government and not just in industrial systems, there is a need to be able to monitor for, reproduce and keep track of all this information relating to an attack,” he said. “It’s just not being done.”