Experts caution against overreacting to potential water plant hack
Former officials say a possible breach of a utility control system needs further analysis to identify the cause.
An ongoing investigation into the possible hack of a U.S. water plant should trigger a methodical analysis of the security of the nation's industrial systems to avoid jumping to the wrong conclusions, former federal cybersecurity officials say.
The Homeland Security Department's cyber response team and the FBI are gathering facts about a report of a water pump failure in Springfield, Ill., according to DHS officials. Their actions follow a state fusion center alert, first reported by noted security specialist Joe Weiss and later publicized by media outlets, that apparently suggests intruders may have lingered in the system for weeks. Some security experts familiar with the report are attributing the malfunction to a targeted attack originating from a Russian network access point, or IP address. If the report bears truth, then this incident represents the first known intentional intrusion into a U.S. industrial control system.
But some experts caution that many organizations don't have the computer forensics expertise to pinpoint the cause of suspicious network events, let alone the identities of perpetrators.
In the case of the Illinois water plant intrusion or even recently confirmed interferences with U.S. satellites, "it may be a cyber incident or a cyber-related incident, but it may not be a cyberattack," said Sean McGurk, who in September stepped down as director of DHS' National Cybersecurity and Communications Integration Center. "Part of the challenge is to identify an IP address as the origin of the attack . . . it's not a skill set most companies, especially a water company, would have."
He noted that sometimes flaws in a network's design create openings for unauthorized users -- who are not professional hackers.
"It's not a matter of someone using brute force skills," said McGurk, now a private consultant. "They are just using random username and password authentication" to guess their way into computer systems.
In contrast, some businesses with international ties, who perhaps should be concerned, tend to look the other way when compromised. "In many cases, the companies don't want to know the attribution piece," he said. "They want the penetration to stop, but they don't want to know who is behind it," adding that the reason is "they may have business dealings with foreign governments."
Both cyber alarmists and realists have long warned that someday adversaries will strike Supervisory Control and Data Acquisition systems that run vital U.S. infrastructure, from drinking water to financial services. The private sector owns about 85 percent of the nation's critical networks, including systems supporting the Pentagon.
"You cannot open the newspapers these days without reading about a hack against Wall Street, or a hack against a company, or a hack against this water plant," said Sam Visner, former signals intelligence chief at the National Security Agency, the Pentagon's spy branch. The Illinois incident "is really a call for replacing the sound bites with a national strategy for educating ourselves."
Specifically, organizations should undertake a more thoughtful review into why these events occur. "In the absence of information, people can become desensitized or overly sensitized," said Visner, now in charge of cybersecurity strategy at federal contractor CSC. "I do think we risk making people afraid of things they should do online."
Law enforcement experts also encouraged this kind of assessment before assuming a breach is sophisticated in nature or sponsored by a foreign government.
"You really need to take a look at the TTPs -- tactics, techniques and procedures -- that are used with some of these attacks to get evidence to the possibility of nation state involvement," said Scott Aken, former special agent in the FBI's computer and cyber crime unit. "You cannot always assume that all breaches that are sophisticated in nature, or involve critical infrastructure are state sponsored."
Businesses and relevant agencies should be studying the duration, stealth and goal of the infiltration, as well as the number of individuals who were targeted and the tools used, said Aken, currently vice president of cyber strategy and development for L-3 Communications. "No prankster would have the resources necessary to carry out complex, multimonth or even multiyear attacks just to pull off a prank," he said.
In a statement, Homeland Security spokesman Peter Boogaard said, "At this time there is no credible, corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety," adding that if DHS "identifies any information about possible impacts to additional entities, it will disseminate timely mitigation information as it becomes available."
Aken said he hopes this latest incident will teach the public that U.S. critical infrastructure is not impenetrable. "Our computer network defense posture is far from robust and by continuing to show the real danger behind these attacks, maybe Americans will place a bit more emphasis behind shoring up our network defenses," he said.
Andrea M. Matwyshyn, a University of Pennsylvania Wharton School professor who specializes in corporate cyber regulation, said there needs to be a reasoned, rather than panicked, analysis of the vulnerability of existing systems.
"The worst kind of crisis management is engineers running down the hall screaming," she said. "Because of the sophistication of some attackers, it's only by planning carefully and creating the most bulletproof-like structures that we stand a chance."
Hackers, Matwyshyn cautioned, are not only military-like units sponsored by foreign powers but also "script-kiddies" playing around with computer code in their basements to break into computer accounts.
Earlier this month, the Office of the Director of National Intelligence released a study asserting that China and Russia are responsible for massive cyber espionage. "Moscow's highly capable intelligence services are using [human intelligence], cyber and other operations to collect economic information and technology to support Russia's economic development and security," the findings stated.
NEXT STORY: DHS changes approach to border technology