The flap over the reported water utility hack in Illinois begs the question: Is the reporting system that the US has set up to identify cyberattacks on critical infrastructure broken and in need of re-thinking?
Since the year 2000, the Department of Homeland Security (DHS) has encouraged states and cities to establish so-called "Fusion Centers" to operate under local control and collect information from the likes of power companies and water utilities about incidents that might have national-security implications.
There are now 72 of these Fusion Centers in the US, which vary in their practices, according to DHS. When one of them, the Illinois Statewide Terrorism and Intelligence Center (STIC), issued a brief report on November 10 titled "Public Water District Cyber Intrusion," it led to a firestorm of controversy, putting what has been a secretive reporting system in the harsh glare of the public spotlight, and highlighting the intrinsic weakness in the way the US critical-infrastructure incident reporting system works today.
The Illinois STIC report said there had been a cyberattack from Russia on a SCADA (supervisory control and data acquisition) system used by an unnamed Illinois water-supply company to control its water pumps, leading to the burnout of a pump as it was repeatedly turned on and off. In addition, the STIC report said an unnamed information technical services company looking at the SCADA system believed the hackers had been going after the SCADA system for several months, trying to get user names and passwords.
The STIC report was sent on to the DHS for its review, which DHS says is the usual process. But the DHS' Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) later said it was only "made aware of" the report on November 16.
The report, shared among those associated with the Illinois STIC, was expected to remain confidential. But the operator of a utility company associated with the Illinois STIC, who was troubled by this report and looking for advice, shared it with a well-known energy-industry consultant, Joe Weiss, head of Applied Control Solutions.
When Weiss mentioned the report in his blog a media firestorm ensued, with the Washington Post and other news sources describing it as perhaps the most significant cyberattack on US critical infrastructure.
Once the media blitz erupted, the DHS and FBI took to publicly describing how, in coordination with ICS-CERT, they had sent a team off to the Illinois water facility. The feds were the first to name it as the Curran-Gardner Townships Public Water District in Springfield, Illinois, which serves just over 2,000 customers.
ICS-CERT on November 23 issued a bulletin that said once it had received the Illinois STIC report on November 16, the organisation "reached out to the STIC to gather additional information. ICS-CERT was provided with a log file; however, initial analysis could not validate any evidence to support the assertion that a cyber intrusion had occurred."
Curran-Gardner itself declines to discuss the matter, but the DHS and FBI now says, "After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois."
The Washington Post reported that, too, and later quoted unidentified sources saying the remote SCADA access was from an unnamed contractor for Curran-Gardner that happened to be in Russia at the time.
That contractor, Jim Mimlitz, founder and owner of Navionics Research, has now come forward and publicly said he was in Russia on vacation in June and logged into the SCADA system at the request of Curran-Gardner. He said he didn't mention to them he was on vacation in Russia.
It is unclear how that activity in June came to be perceived as a November hacking attempt in the Illinois CERT report, which Weiss read verbatim to Network World. The report is thin on details about the supposed intrusion, the problems with the SCADA system, and what actually happened.
The DHS ultimately concluded: "There is no evidence to support claims made in initial reports — which were based on raw, unconfirmed data and subsequently leaked to the media — that any credentials were stolen, or that any vendor was involved in any malicious activity that led to a pump failure at the water plant. In addition, DHS and the FBI have concluded that there was no malicious traffic from Russia or any foreign entities, as previously reported."
But the DHS does add: "Analysis of the incident is ongoing and additional relevant information will be released as it becomes available."
Several security experts say they find it reprehensible that a SCADA contractor would remotely access a US facility's SCADA system from Russia.
"It's without question a poor security practice, probably the most distressing information out of this investigation," says Andre Eaddy, director of cyber security portfolio solutions at Unisys. "Most organisations would limit access inbound and outbound to certain countries, especially to certain countries like Russia or China." That's because there are so many malware-related attacks associated with them, it isn't worth the risk, and even taking a laptop with contractor information there would not be considered good security, he says.
"It is shocking" a contractor would directly access a SCADA system from Russia, Weiss says. But the bigger problem is that "we have no control system forensics and logging," meaning it is hard to get an accurate picture of what happened, where and when after any type of suspected breach.
Weiss says the entire episode, in which the Illinois STIC Fusion Center issued a very direct report that gave no indication it was preliminary or unproven and which had such explosive information, shows how broken the US critical-information reporting system is.
"What Illinois put out is scarier than hell," he says. It's hard to understand how it could be a week or longer for ICS-CERT, DHS and the FBI to step in and say the report was wrong. He also points out that the various Fusion Centers all report different things that seem to circulate only locally before information goes on to DHS in Washington. He wonders why Fusion Centers put out reports without making it clear they're not considered validated.
Weiss thinks the Water-ISAC, a group coordinated by the federal government and the water utilities to share information, should have been informed about the Illinois STIC report.
Some in industry think Weiss stepped out of bounds to have even publicly mentioned the Illinois STIC report, but Weiss says he doesn't have any official connection to it and is under no particular obligation to keep the document confidential.
On November 23, ICS-CERT, which works within DHS, issued a security advisory about the "Illinois Pump Failure Report" in which it said: "there is no evidence to support claims made in the initial STIC report — which was based on raw, unconfirmed data and subsequently leaked to the media — that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant."
Without mentioning Weiss by name, ICS-CERT pointed out the impact that public discussion had had on its usual processes, which are typically secret. "Publicly disclosing affected identity names and incident information is highly unusual and not part of ICS-CERT's normal incident reporting and triage procedures. In this particular case, because unconfirmed information had already been leaked to the public, ICS-CERT and the asset owner/operator felt it was in the best interest of the community to collaboratively analyse all available data and disclose some of the findings."
DHS sources say the general assumption about the Fusion Centers is that they are simply places for gathering information and that DHS is the ultimate authority for the validation of that information. Fusion Centers include not just critical infrastructure companies but private-sector partners as well. For instance, Cisco says it belongs to many of the Fusion Centers and would immediately supply information to them if a serious malicious attack was detected.
DHS provides some funding to the Fusion Centers through FEMA grants, but expects the state and local authorities sponsoring a center to carry the basic fiscal and management responsibility. DHS acknowledges the Fusion Centers vary significantly in their activities and practices, though since 2008 there has been a push to try and establish basic guidelines and common toolsets.
However, DHS at this point isn't able to explain exactly what anomalies or security incidents critical infrastructure companies are required to report.
"Right now, it's not a good model," says Gartner analyst John Pescatore of the Fusion Centers. Not only could the intelligence-gathering function be improved, but there should be more "proactive information coming from the other way" that would help private industry definitely know about real threats.