The Department of Homeland Security's ICS-CERT has issued statements that deny there was an attack against systems governing the Curran-Gardner Public Water District in Springfield, Illinois.
The assertion by DHS runs counter to initial reports that there had been a cyber intrusion into the industrial control networks (ICS) resulting in data loss and that may have potentially physically damaged systems.
As originally reported on Infosec Island on November 18:
On November 17th Joe Weiss, a well-known member of the Industrial Control System (ICS) community, posted on his blog about a recent US water system hack.
Joe points out that the disclosure concerning the Nov 8th supervisory control and data acquisition (SCADA) hack was made by Illinois Statewide Terrorism and Intelligence Center on Nov 10th.
Joe's post stated that the SCADA software vendor was compromised and that customer usernames and passwords were stolen as well as possible physical damage to the utility.
Note that the referenced link to Weiss's blog post now leads only to a blank page at the GlobalControl.com website.
The FBI and ICS-CERT subsequently released a joint statement that indicated the investigation into the attack was ongoing, and that there was no conclusive evidence systems had actually been compromised:
ICS-CERT and the FBI have now concluded that there is no evidence that the network intrusion occurred, despite the initial alerts issued by the Illinois Statewide Terrorism and Intelligence Center on Nov 10th:The DHS Illinois State Fusion Center released two FOUO reports about a cyber hack into a water utility that resulted in a pump failure. The reports were intended to be initial raw reporting and not conclusive in nature. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) received a copy of the reports on Nov 16th and inquired to the DHS field office to obtain additional information.
Initial ICS-CERT analysis of a log file provided by the state fusion center could not validate the claims made in the report, however, analysis is ongoing. The vendor is a small regional systems integrator that builds custom solutions with a focus on local, rural water utilities.
After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois.
There is no evidence to support claims made in the initial Fusion Center report - which was based on raw, unconfirmed data and subsequently leaked to the media - that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant. In addition, DHS and FBI have concluded that there was no malicious traffic from Russia or any foreign entities, as previously reported.
Analysis of the incident is ongoing and additional relevant information will be released as it becomes available.
While news that there was not a systems breach at the facility is certainly welcome, the conclusions of ICS-CERT and the FBI fail to provide an explanation as to why the Illinois Statewide Terrorism and Intelligence Center initially believed the facility had been compromised.
The latest statements also fail to explain why the Illinois official believed that there had been a data loss event, that equipment had failed due to the alleged attack, and where the notion that foreign IP addresses were identified in the initial reports.
The lack of explanation has produced and information vacuum in the information security community that has lead to speculation that some sort of event may have occurred at the facility that officials may be attempting to cover up.
Further explanation regarding why the Illinois Statewide Terrorism and Intelligence Center was under the impression that an attack had occurred would help put an end to needless speculation, and would help the administrators of similar facilities to avoid unnecessary alerts if the initial reports were indeed based on a false positive.
Officials also indicate that they are still investigating reports of another network intrusion in South Houston, Texas.