When There's a "Smokin' Gun", the Question is - What Happened to the Body?
For many who followed the recent Curran-Gardner event (yes, technically I am only calling it an "event", as it was never formally, officially was recognized as an "incident" by DHS or the FBI) involving a (very small) water utility out of Central Illinois.
The net result was that the whole situation of circumstances was a mislabeled, misreported set of reports as well as ill-gotten news media coverage due to redacted leaked information by a private researcher to the entire world.
Although, hypothetically, the problem appears to never have existed, the more interesting suite of questions that continue to plague this event (even still today) is "what happened?"
While a contractor for a control systems outsourcing company accessed one of his customer's control systems from a foreign country where remnants of the "Cold War" continue to exist today (as in surveillance and tapping systems of just about everything that is exposed in a public venue), only to be confused with a foreign-national actor with malicious intent, and the fact that much of the circumstances surrounding all of this appears to have been chalked up as merely a coincidence.
One thing still remains: what happened to the pump? While I know many within the water sector who have speculated as to what may have happened, let's look at several scenarios in how the pump may have failed:
(1) The pump was truly hacked by an external source that was never mentioned within any preliminary report, nor discussed through any unsecured means; all data and information at this point was encrypted and classified - only those who have a clearance may truly know what might have happened.
To me, this is still conceivable, though highly paranoid in nature. Do I think that our government is capable of such a cover-up? Note how quickly the story within the media stopped circulating, and how quickly it became "old". That may simply be how the news media operates; but you still have to ask yourselves if the sudden stop of discussion by the news media is part of something bigger.
Though I am not indicating that this is a cover-up and did happen, but just think about conspiracy theories for a moment, and ask yourselves if you think that our government could have conceivably managed to cover-up such a story.
(2) Mitigating circumstances in which the water utility's contractor decidedly accessed a control system/server from a foreign country that still continues to be plagued (even today) by surveillance systems, if not for the Russian government, perhaps the Russian mafia (which, to some, believe control the current Russian government).
The next question of whether or not any additional access from any Russian-based IP addresses needs to be answered, and unfortunately, this is something none of us may never know.
Even if the contractor did access the control systems/servers from Russia, it is sort of like asking yourselves if you would access your home's security system for a status update knowing that there will be watchful eyes on everything that you review and type.
Though there are quite a number of people and organizations (alike) who still feel that connections on the Internet are "secure", I find it difficult (at best) to sit and listen or read about such places and not think that they're simply making an excuse for their lack of action.
Too many organizations today feel that, unless something of significance occurs (after the fact), that the likelihood that someone may hack their environment is simply placing too much faith with handling a lightning rod with an approaching storm front, stating that they won't get struck by lightning.
(3) Coincidence in which the water utility's contractor accessed a control system/server at around similar timeframes that the pump physically failed. What's the odds of being struck by lightning twice, and in the same location (using the lightning scenario)? I would state pretty staggering, considering the circumstance; though some would indicate that this does happen, and quite often.
(4) The pump failed well before the "event" occurred. Some food for thought -- Curran-Gardner represents a small rural/farmtown water utility, supporting a small population of people. Ironically, they're connected with the City of Springfield, but probably for their fire districts in case their wells were to go dry (which I will explain in a bit).
Places like CG exist not only for serving and providing water, but many of these (so-called) "water utilities" provide pumping systems to keep rivers and creeks steady and in-check, are used for bilge pumping (sort of like a big "sump pumps", but water is taken from local sources and diverted to other locations - displacing the water so flooding doesn't occur), or used to keep water tables in-check.
Now... for the fire districts, many of the smaller, rural water districts might not be capable of providing their level of services for things like fire prevention (fire hydrants), so in many circumstances, water is pumped from larger sources (in this case, perhaps the City of Springfield) to keep the hydrants "water-fed".
One other thing that should also be noted is that many of these water districts have very scarce budgets; in some circumstances, they might have to plan for years ahead at a time, and cannot afford short-term financing issues (such as a water pump failure).
Due to how our society has become, it is probably cheaper to replace the entire, defective/failed pump, than it would be to service it. As pointed out by one of my water sector constituents, "Have you ever seen the inside of one of these things? It can get pretty nasty inside of the impeller, rusting its way from the inside going out."
And, there are several manufacturers and model/types of these kinds of pumps, all of which have a short life of (maybe) a decade of continuous use.
It may simply be cheaper to wait for a time in their budgetary cycle (however long that it may be) and appropriate funds for a replacement pump, taking a long weekend "outage", rather than periodically check and maintain the pump in attempt to extend its life by a few months or years, and taking several, smaller outages during/throughout the year.
So... the $64 question is: what happened to the pump?
Cross-posted from the SCADASEC Mailing List