Last Tuesday, Nick Catrantzos, suggested here that reports of the Springfield, Illinois “cyberattack” might have more to do with “Naïve or myopic cyber professionals whose over attention to expediency permits convenient remote access for their technical support colleagues with insufficient attention to the exposure that this condition creates,” than with an attack by foreigners.
He’s right, according to Friday’s Washington Post story by Ellen Nakashima:
A water-pump failure in Illinois that appeared to be the first foreign cyberattack on a public utility in the United States was in fact caused by a plant contractor traveling in Russia, according to a source familiar with a federal investigation of the incident…. The contractor, who had remote access to the computer system, was in Russia on personal business, the source added.
Score one point also for DHS officials who insisted on getting the facts correct before someone lobbies congress for a 350 trillion dollar Water Attack Security Target Enforcement program:
… officials at the Department of Homeland Security, which oversees industrial control system cybersecurity, cautioned from the outset that the report contained “no credible, corroborated data.”
The water pump in question had been experiencing problems, turning on and off and eventually failing, water district board members said. The pump has malfunctioned several times in recent years, a DHS official said.
The “international authority on cybersecurity” who (apparently) first made public the information in the Illinois State Terrorism and Intelligence Center (STIC) report responded to the new details about the attack by attacking:
This [the conflict between the STIC and DHS reports] begs the question why two government agencies disagree over whether a cyber event that damaged equipment had occurred at a water utility….
There are numerous critical infrastructure table-top exercises that assume that notifications such as the STIC report are sufficient to initiate the cyber attack response process. If DHS turns out to be correct in its assumptions, then anyone acting on the STIC warning would have been wasting precious resources addressing a problem that doesn’t exist. At issue is that we need to be quickly informed if an event has occurred so that others who have similar equipment or architectures can take steps to protect themselves in case the event spreads. However, this requires both timely notification and correct information. Right now, it seems that neither of these two conditions may exist in this case.
We now have to wait for DHS and the other government agencies to come to agreement and let us know what has happened. If the STIC report is correct, then we have wasted precious time and allowed many others in the infrastructure to remain potentially vulnerable while we wait to find out if we should do anything.
Perhaps that’s a restatement of the classic expectation of intelligence: “give us accurate, timely, and actionable information.”
Welcome to another dimension of the big data problem.
Or, as our buddy prOf might say, “Take the f*%#!&g SCADA off the internet.”