Guest author Sean McBride is the Director of Analysis and Co-founder of Critical Intelligence, a company that provides Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.
A pair of investigations, one by the Department of Homeland Security , and one by reporters from Wired , provided a conclusion to the Curran-Gardner Water Disrict (Illinois) hacking incident. In short, the suspected intrusion from a Russian IP address was legitimate traffic from a SCADA engineer on travel in that country. The log-in did not seem to be related to the failure of a pump under the system’s control.
The story originally broke on November 17, when Joe Weiss, an outspoken ICS security professional, noted having received a report from a government body that described a compromised water SCADA system. Over the following weeks numerous news outlets, including the BBC  covered the incident – which is now known to be a false alarm.
Several facets of the incident, its reporting and coverage, show the importance of developing sound analytical competence.
First, and most obviously, the report, which came from the Illinois Statewide Terrorism and Intelligence Center, was unverified analysis. As a consumer of information, one must accept that when you receive analysis from a third party there may be errors and omissions, lack of expertise, logical fallacies, false assumption, and biases. The old adage still applies: “You can’t believe everything you read in the paper.” Of course, this challenge of discerning truth and error is compounded when information is provided by an “official” government source – which was the case here.
Close examination of the Illinois report however, shows several reasons to call it into question:
- The report was released on November 10, 2011 and provides extensive details of an event that reportedly occurred on November 8, 2011. That timeline seems unreasonable.
- The report claimed that the intrusion “is the same method of attack recently used against the Massachusetts Institute of Technology (MIT) server” because “The water district’s attack and the MIT attack both had references to ‘phpMyAdmin’ in the log files of the computer systems.”
This is inaccurate, showing a fundamental misunderstanding and lack of research. The compromised MIT server attacked other systems that exhibited the phpMyAdmin vulnerability– it was not the means of its own compromise. Moreover, it does not seem likely that the SCADA system would be running phpMyAdmin (though not impossible).
- The report also states “It is believed the hackers had acquired unauthorized access to the software company’s database and retrieved the usernames and passwords of various SCADA systems, including the water district’s system.”
This seems to conflict with the idea that the compromise occurred via phpMyAdmin. One possible way to sync the two named attack vectors is that the SCADA vendor was running phpMyAdmin and the SCADA vendor’s networks were compromised by that vulnerability – but that would probably have required analysis of the SCADA vendor’s logs in addition to the Curran-Gardner logs, and the report itself implies that the vendor’s logs have not been reviewed: “It is unknown at this time the number of SCADA usernames and passwords acquired from the software company’s database and if any additional SCADA systems have been attacked as a result of this theft.”
Second, DHS’s (INL/Battelle) handling of the situation represents a continual squandering of taxpayer resources.
- “Rules” for government engagement in the private sector seem to have been disregarded.
It is my understanding that ICS-CERT or any other federal agency providing a public-private service can only intervene upon the request of an affected entity. In the Curran-Gardner case, ICS-CERT actively sought to contact the reportedly affected entity: “ICS-CERT would like to thank the Curran-Gardner Public Water District and the SCADA systems integrator (vendor) for their cooperativeness in pulling all available resources in order to conduct a thorough and exhaustive investigation” .
While this may seem like the right thing to do, it is, at a minimum, inconsistent with previous statements that incident response requires “voluntary” participation with the government. Imagine that the DHS and FBI come calling, “We heard you had a problem…we are here to investigate. You need our help. Can we help?” This is hardly voluntary.
- What was the evidence that prompted the intervention/response? A failed pump that helped provide water to 2000 customers. What risk does this represent to the homeland? There was no threat, and very little consequence. Apparently risk assessment is NOT prerequisite to or part of conducting a “thorough and exhaustive investigation.”
- If Curran-Garnder wanted an investigation, they could have hired qualified parties to help out (in fact, their logs had already been reviewed by a computer support company, that correctly concluded that someone had logged in from Russia).
If DHS continues at this rate, it might want to move into the system integrator business, and to operating water facilities in small towns – just to make sure the Russians don’t get in. The parties managing the Control Systems Security Program (as well as the shoe-in contractors) wouldn’t mind the increased budget.
- Reporters from Wired ran the story to ground in ways that surpassed DHS efforts (at no public fee).
Third, DHS ignores important issues and hypes the worthless.
- DHS continued to make an issue of the story by sending emails, releasing documents, and making it a prominent item at industry briefings. There was no actionable intelligence from this effort. Why continue beating the drum?
- DHS reports fail to mention that Curran-Gardner has experienced SCADA issues for well over a year, undergoing several pump repairs in 2009 and 2010 [4-6], and ultimately receiving an insurance check for a “SCADA failure” in September of 2010 .
- The reporting did not mention the fact that if Curran-Gardner didn’t want folks logging in from Russia, they could have blocked IP addresses from Russia (or any other country).
- DHS has yet to publicly address the four SCADA systems accessed/trespassed by pr0f – which are real intrusions. Some information about all of these is publicly available.
In short, a little bit of analytical thinking and a few phone calls could have saved unnecessary taxpayer expenditures, the dissemination of misinformation, and the wasting of valuable time. This seems to underscore that as a group of practitioners, we are quick to lend weight to government agencies (such as the Illinois Statewide Terrorism and Intelligence Center and DHS in this case) despite a proven record of analytical shortcomings. Until we all (government, reporters, solution providers, and operators of critical infrastructure) increase our analytical competence we can only expect to believe (and promote) things that aren’t accurate.
Image by Chris_Short