Russian hackers may have sabotaged a water pump in what’s being described as the first foreign cyber attack on US utility infrastructure, damaging both hardware and confidence in critical systems. The attack targeted a Springfield, Illinois water utility station on November 8, Reuters reports, using network credentials stolen from an industrial software developer; the pump was apparently remotely activated and burnt out, though redundant systems meant no impact was felt by residents of the town.
Nonetheless, the event is being taken seriously by the Illinois Statewide Terrorism and Intelligence Center, with the US Department of Homeland Security and the FBI both involved in the investigation. Although still early, the teams involved insist there is no cause for ongoing concern, with DHS spokesperson Peter Boogaard arguing that “there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”
Despite those reassurances, online security specialists are already drawing parallels between the Illinois attack and the Stuxnet virus that impacted Iranian nuclear facilities in 2010. Although never acknowledged by either government, many believe that particular viral strike – which sabotaged a centrifuge used in uranium enrichment – was controlled by the US and Israel.
“Over a period of two to three months, minor glitches had been observed in remote access to the water district’s SCADA [Supervisory Control and Data Acquisition] system” security expert Joe Weiss told The Register, having acquired a copy of the Illinois report detailing the water pump hack. The “glitches” escalated to the point where the pump was power-cycled until it burnt out; since multiple pumps are used at the facility, no interruption to the water supply was observed.
Evidence of further hacking has not been observed, though it’s unclear how many remote access credentials have been stolen by those responsible. It is reportedly usual for usernames and passwords to be hard-coded to SCADA hardware, which could make a broad security refresh more difficult than with traditional enterprise systems.