It was recently reported that an Illinois water utility experienced what it thought was a hack on its Supervisory Control and Data Acquisition system that resulted in a pump to burn out. This hack, the initial report released by the Illinois Statewide Terrorism and Intelligence Center said, was traced to Russian IP addresses. The Department of Homeland Security soon thereafter came out saying the initial reports were "based on raw and unconfirmed data" and the utility was not in fact hacked.
So what really happened? A new account from Wired reports that a single phone call to one of the contractors hired by the utility to set up the SCADA system would have prevented what was being called the American version of a Stuxnet attack:
“I could have straightened it up with just one phone call, and this would all have been defused,” said Jim Mimlitz, founder and owner of Navionics Research, who helped set up the utility’s control system. ”They assumed Mimlitz would never ever have been in Russia. They shouldn't have assumed that.”
Mimlitz’s small integrator company helped set up the Supervisory Control and Data Acquisition system (SCADA) used by the Curran Gardner Public Water District outside of Springfield, Illinois, and provided occasional support to the district. His company specializes in SCADA systems, which are used to control and monitor infrastructure and manufacturing equipment.
Mimlitz says last June, he and his family were on vacation in Russia when someone from Curran Gardner called his cell phone seeking advice on a matter and asked Mimlitz to remotely examine some data-history charts stored on the SCADA computer.
Apparently, Mimlitz never mentioned to the utility that he was in Russia or that he remotely logged in again using his mobile phone during a layover. According to Wired, Mimlitz username appears next to the IP addresses in the report. Mimlitz told Wired that he was not manipulating anything remotely that would have turned systems on or off:
Even though Mimlitz’s username was connected to the Russian IP address in the SCADA log, no one from the fusion center bothered to call him to ask if he had logged in to the system from Russia. Instead, the [Illinois Statewide Terrorism and Intelligence Center] released a report on Nov. 10 titled “Public Water District Cyber Intrusion” that connected the broken water pump to the Russian log-in five months earlier, inexplicably stating that the intruder from Russia had turned the SCADA system on and off, causing the pump to burn out.
“And at that point … all hell broke loose,” Craven said.
And now the finger pointing begins. Wired reports that the state police department, which is responsible for the center that wrote the report, said the information for compiling such reports that get released by the center come from local DHS and FBI representatives. DHS fired back saying that if they had approved the report, it would have had approval signatures on it from six offices, which it did not. Wired reports a DHS representative as saying the report did not undergo such a review because it was a fusion center product.
And what of the pump failure? According to Mimlitz, the logs show the pump failed due to an "electrical-mechanical reason" and was unrelated to the SCADA system. He also points out to Wired that nothing in the log references the system being turned on and off.
Joe Weiss of Applied Control Solutions, who provided information to the public about the supposed attack on a blog, said this incident makes the information coming out of the center seem untrustworthy.