Russian Hackers Breach Springfield, Illinois (?) Water Utility and Destroy Pump

Supervisory Control and Data Acquisition System

U.S. Navy photo by Joe Schmitt

Apparently, Russian hackers are targeting Springfield, Illinois's water. According to Wired's "Threat Level," last week a group of hackers breached the Springfield, Illinois water utility system and remotely destroyed a water pump.

The breach was discovered on November 8, when an employee noticed a problem with the Supervisory Control and Data Acquisition System (SCADA). The problem caused the water pump to burn out after being continuously turned on and off. The Department of Homeland Security's Industrial Control System-Cyber Emergency Response Team, when queried by reporters, revealed that a utility company in Springfield, Illinois was hacked.

The details beyond that are hazy. As Wired pointed out, one of Springfield's water utility companies is City Water, Light and Power. A spokeswoman at the company denied that an incident had occurred there, and suggested that it may have happened to systems managed by another utility company, Curran-Gardner Public Water District. Curran-Gardner refused to comment.

The Illinois Statewide Terrorism and Intelligence Center released a "Public Water District Cyber Intrusion" report on November 10 that indicates that hackers may have had access to the system since September. Hackers using Russian IP addresses hacked the software vendor that makes the system. They were then able to access the vendor's database of usernames and passwords, and used the stolen credentials for remote access to the SCADA system's network. These vendors keep records of their customer's access information for maintenance and upgrading the systems.

Two to three months before the discovery of the hack, operators noticed "glitches" in the remote access to the SCADA system. "They just figured it's part of the normal instability of the system," said Joe Weiss, cybersecurity expert and managing partner at Applied Control Solutions, who obtained a copy of the report. "But it wasn't until the SCADA system actually turned on and off that they realized something was wrong."

The vendor is located in the United States, and Weiss worries about what other systems are at risk. "One thing that is important to find out is whose SCADA system this is," he said. "If this is a [big software vendor], this could be so ugly, because a biggie would have not only systems in water utilities but a biggie could even be [used] in nukes." Weiss discussed the breach yesterday on his blog, calling for better coordination and disclosure from government organizations. Because of this lack of coordination and disclosure, Weiss wrote, other water utilities were not aware of the breach, and their own vulnerability to cyber attacks. It may not be one of the biggest data thefts in history, but it's certainly one of the more odd.