The Department of Homeland Security has revved up their engines to run circles around widespread media reports that hackers had taken control of a water pumping station in Springfield, Illinois. The report of the hacking incident suggested that Russian IP addresses had been implicated in damaging a piece of critical water infrastructure; this was based entirely on revelations by Joe Weiss, security consultant and managing partner of Applied Control Solutions.
At the time DHS spokespeople urged caution in thinking that hackers had allegedly attacked and sabotaged the pump; now they’re back for blood less than a week later to take the wind out of the sails of the report.
KrebsOnSecurity wrote up a lengthy examination of the allegations levied by Weiss and the response received from the DHS on the matter. In which the DHS roasted Weiss’ analysis of the situation and continued to hold fast to their initial caution that no evidence suggested that this indeed was a cyber incident, citing that Weiss lacked any solid evidence or information to support his claims.
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a division of the DHS tasked with investigating these events, said they could find nothing to connect the incident to anything cyberterrorism related. In their report they went on to scathe the lack of evidence,
“There is no evidence to support claims made in the initial Fusion Center report – which was based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant,” the ICS-CERT alert states. “In addition, DHS and FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported. Analysis of the incident is ongoing and additional relevant information will be released as it becomes available.”
Weiss has since blogged about the ICS-CERT statement, and he’s not convinced.
“The real thing that bothers me is how could there be such substantial amount of information provided where a lot of it is really a simple yes or no situation,” Weiss said. “Was there a Russian [Internet] address involved or wasn’t there? The Illinois facility also said their technician had observed these abnormalities for 2-3 months. Well, either he did or he didn’t.”
As part of the ICS-CERT report, also mentioned was another water infrastructure facility apparent cyber incident that happened in Texas as widely reported last week. In that intrusion a hacker using the handle “prof” claimed to have gotten access to a water control systems plant, he even published screenshots online.
The ICS-CERT says only that it’s still investigating that incident as well.