I have read several articles on the recent water plant cyber intrusion that damaged a pump in a small utility firm’s facility in Illinois. I am not a digital forensics analyst, but I do find the reactions very interesting.
The initial announcement was bounced around the news outlets as a big deal. Who did it? Was it the first shot in a cyber war? What did it really signal? Why a water plant in a small community? Some of the more sophisticated writers opined that it might be a reconnaissance of our critical infrastructures to see if “they” (whoever that might be) could do kinetic-like damage with cyber means.
Next, the wave of analyses began to peel back the layers. The hack was reported to be traced back to a Russian IP address (how’d they do that so fast?), and others speculated that the pump just failed (as pumps sometimes do) and the utility was using this as an excuse. In an interesting illustration of how naïve some people are with regard to cyber. One of the plant officials announced that despite the hack, it was OK because no customer information was compromised. He clearly had a frame of reference where hacks were ALWAYS about identity theft. Even though he managed a piece of critical infrastructure (albeit a small piece), he had no cognizance of the possibility of a SCADA attack.
The most recent stuff is now saying, or at least intimating, that it was probably a non-professional hacker, just doing it for fun. OK, I know those folks are still out there, but are we going back to the days when we blame them for everything? I know the forensics are hugely difficult, but let’s do them before we just shrug and say it was “just the kids playing.”
Frankly, I don’t know what the Water Plant incident really means, but at this point, neither does anyone else. Can we afford to dismiss it, even if it turns out to be some script kiddies? Even if it was NOT an attack or a recon, others are watching, analyzing and learning. Regardless of the origin and the intensions for this incident, the door has been opened, the proof of concept provided. Can we honestly not expect more?
I have said this before; the sky is not falling! However, we still need to up our vigilance and recognize that we have enormous vulnerabilities and competent adversaries. We badly need to make some progress in protecting the cyber elements of our critical infrastructures, and we need to do it now.