No evidence of cyberattack at water pump, DHS says

Story highlights

  • "No evidence of a cyber intrusion," the DHS says
  • A cybersecurity expert blogged about the possibility of a cyberattack
  • The initial reports were raw and not conclusive, a DHS official says
  • The blogger says his goal was to highlight concerns about information sharing
Federal investigators have found no evidence that a cyberattack was behind a water pump failure this month in Illinois, the government announced Tuesday.
After a "detailed analysis," the Department of Homeland Security and the FBI "have found no evidence of a cyber intrusion," DHS spokesman Chris Ortman said.
Officials confirmed last week that they were looking into the possibility of a cyberattack at a public water district in Illinois, after a blog disclosed the possibility.
"There is no evidence to support claims made in initial reports -- which were based on raw, unconfirmed data and subsequently leaked to the media -- that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant," Ortman said Tuesday. " In addition, DHS and FBI have concluded that there was no malicious traffic from Russia or any foreign entities, as previously reported."
The blog came from Joe Weiss, a noted cybersecurity expert. He wrote that he had obtained a state government report, dated November 10 and titled "Public Water District Cyber Intrusion," which gave details of an alleged cyberattack culminating in the "burn out of a water pump."
Such an attack would be noteworthy because, while cyberattacks on businesses are commonplace, attacks that penetrate industrial control systems and intentionally destroy equipment are virtually unknown in the United States.
In a blog post Tuesday, Weiss wrote, "My blog on the Illinois water hack was directly based on a formal disclosure announcement by the Illinois State Terrorism and Intelligence Center" (STIC). He added that he posted the blog a week after the STIC disclosure, "after numerous water organizations told me they were unaware" of it.
In the blog post, he asks "why two government agencies disagree over whether a cyber event that damaged equipment had occurred at a water utility."
"The intention of my blog was to highlight a concern that information is not being disseminated in a timely manner," he writes. "Here we have a formal report of a cyber event that caused damage to equipment in the water infrastructure, yet no one else in the infrastructure is aware that anything has occurred."
The DHS website lists the Illinois Statewide Terrorism and Intelligence Center as the state's primary fusion center, and explains that fusion centers serve as focal points "for the receipt, analysis, gathering, and sharing of threat-related information."
A senior DHS official told CNN the fusion center in Illinois released two reports, both marked "unclassified/for official use only," about a potential cyber compromise of the SCADA (supervisory control and data acquisition) system at the Curran-Gardner Public Water District in Springfield, that may have resulted in a pump failure. "The reports were intended to be initial raw reporting and not conclusive in nature," the official said, speaking on condition of anonymity because the official is not authorized to speak on the record.
The federal government's Industrial Control Systems Cyber Emergency Response Team deployed a team Sunday to investigate and "has been actively working with the utility and the FBI to gather additional forensic data to determine what may have caused the pump to fail," the official said.
The Illinois STIC did not immediately return a call Tuesday from CNN.
Another computer expert familiar with the incident said last week that the government was acting properly.
"This is just one of many events that occur almost on a weekly basis," said Sean McGurk, former director of the National Cybersecurity and Communications Integration Center. "While it may be nice to speculate that it was caused by a nation-state or actor, it may be the unintended consequence of maintenance," he said.
In his original post, Weiss did not say the state or region where the utility was located, and noted that the report was marked "For Official Use Only."
The DHS, in responding last week, said the water system was located in Springfield.