Foreign hackers targeted U.S. water plant in apparent malicious cyber attack, expert says
Foreign hackers broke into a water plant control system in Illinois last week and damaged a water pump in what may be the first reported case of a malicious cyber attack on a critical computer system in the United States, according to an industry expert.
On Nov. 8, a municipal water district employee in Illinois noticed problems with the city’s water pump control system, and a technician determined the system had been remotely hacked into from a computer located in Russia, said Joe Weiss, an industry security expert who obtained a copy of an Illinois state fusion center report describing the incident.
The city affected was Springfield, Ill., according to the U.S. Department of Homeland Security.
Problems with the system had been observed for two to three months and recently the system “would power on and off, resulting in the burnout of a water pump,” the Nov. 10 report from the statewide terrorism and intelligence center stated, according to Weiss, who read the report to The Washington Post.
“This is a big deal,” said Weiss. The report stated it is unknown how many other systems might be affected.
According to the report, hackers apparently broke into a software company’s database and retrieved user names and passwords of various control systems that run water plant computer equipment. Using that data, they were able to hack into the plant in Illinois, Weiss said.
It’s not the first time that two-step technique — hack a security firm to gain the keys to enter other companies or entities — has been used.
Earlier this year, hackers believed to be working from China stole sensitive data from RSA, a division of EMC that provides secure remote computer access to government agencies, defense contractors and other commercial companies around the world. Armed with that data, they breached the computer networks of companies, including Lockheed Martin, whose employees used RSA “tokens” to log in to the corporate system from outside the office. Lockheed said that no sensitive data were taken.
“RSA is the gold standard” for remote access security in industry, said Gen. Keith Alexander, head of U.S. Cyber Command and director of the National Security Agency, at a conference in Omaha this week. “If they got hacked, where does that leave the rest?”
Alexander noted his concern about “destructive” attacks on critical systems in the United States.
The Department of Homeland Security, whose job is to oversee the protection of critical infrastructure such as water utility computer systems in the United States, said that DHS and the FBI are investigating the Illinois incident. “At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety,” DHS spokesman Peter Boogaard said in an e-mailed statement.
According to the fusion center report obtained by Weiss, the network intrusion of the software company “is the same method of attack recently used against a Massachusetts Institute of Technology server” used to “aid and initiate an attack on other Websites.”
For Weiss, though, the incident has significance. “It was tracked to Russia. It has been in the system for at least two to three months. It has caused damage. We don’t know how many other utilities are currently compromised.”
Senior U.S. officials, including Alexander, have recently raised warnings about the risk of cyber attacks on critical infrastructure. Questions persist about the readiness and capabilities of DHS to respond to a major attack, and the scope of authority of the U.S. military, which has the greatest cyber operational capabilities, to respond.