Let me say first that SCADA (supervisory control and data acquisition) attacks are real, they do happen and should be a real concern. But if we look at the recent press surrounding such attacks we see little in the way of any hard evidence that such an attack actually occurred. Instead we see rumor and accusation and a hell of of a lot of theory.
The most recent example is the report, first reported on by The Register that someone broke into a local water utility and caused a pump to fail by turning it off and on repeatedly. This is a completely plausible scenario but when we look a little closer at the report some holes start to develop.
The media gabbed a hold of this story and quickly spread it around, over sixty different articles that I can find so far, yet none of them cite ANY primary sources for the incident. That’s Journalism 101 folks, and I didn’t even take journalism class. The Register article quotes Joe Weiss, a managing partner for Applied Control Solutions talking about the attack. This would seem to lend provenance to the story and that the attack actually happened, but Weiss was not a primary source. Most of his quotes are hypothetical and refer to an ‘official government report’ that he refused to name. Weiss refused to state which water district was targeted other than to say the report was released on November 10th. According to Weiss a software vendor lost control of its customer username and password database which allowed attackers, who had been traced back to Russia, access to the systems.
The Register at least got a comment from the US Department of Homeland Security indicating the utility in question was located in Springfield, Illinois. I’m not sure why the Register did not pick up the phone and call Springfield but Kim Zetter from Wired did call. The Springfield water department denied it was them and said the attack took place in the Curran-Gardner water district. When she called Curran-Gardner they hung up on her.
By the time the story made it to C|Net they actually had a quote from DHS.
The key words that I see are ‘no credible corroborated data’ – Bingo! Now, it is possible that DHS is downplaying this so as to not cause widespread panic but lets face it, this is DHS, their whole reason for existing is wide spread panic. So if they say there is ‘no credible corroborated data’ I’m going to go with that.
So what facts do we have that can be confirmed? I think it is pretty safe to say that a water pump somewhere in Illinois failed. I also think it is pretty safe to say that some secret government report blamed that failure on Russian hackers. Thats it. Everything else is pure speculation.
Now lets read between the lines shall we? Lets assume that a pump somewhere in Illinois, over the course of several weeks or even months turned itself off and on and failed. Pumps fail all the time, it happens, doesn’t mean they were hacked. Unfortunately we don’t know what kind of pump, who manufactured it or how long it had been turning off and on before someone noticed. Now what if the code controlling this system was flawed in such a way that the control loop code wasn’t working properly? Control loops are tricky things and it is easy to screw them up, especially if your a pump manufacturer and don’t really pay attention to closely to the software that controls them. Now I have no more evidence to say that this was a software glitch than I do to prove it was an external intrusion. But doesn’t a control software glitch sound a hell of a lot more possible than a russian breaking into a small Illinois township water district?
I think @Jack_daniel said it best “No one sentient doubts the vulnerability of SCADA systems, but for the love of $DEITY SHARE REAL DETAILS or crank up the skeptic settings.”
Late Update:
That pretty much settles that in my book.
Although I have to share one last quote from the Curran-Gardner Water District trustee “I drank the water this morning.”
– SR
2011.11.25 – Update
One last update, looks like those strange Russian IP addresses actually came from Russia! Via a contractor who had authorized remote access. Imagine that. Yup, blame the contractor.
– SR