Per the WaterISAC portal, the WaterISAC (Information Sharing and Analysis Center) is a community of water sector professionals who share a common purpose: to protect public health and the environment. The WaterISAC provides email notifications about threats and any incidents demanding immediate attention. Consequently, one of the driving reasons for writing the blog on the Illinois water system hack Thursday was the WaterISAC had not yet notified the water utilities. The WaterISAC finally issued a note to their members on Friday:
"WaterISAC Pro Subscribers:
It has been reported in the news yesterday and today that a water utility in Illinois suffered a cyber attack that destroyed one of its pumps. However, the FBI and the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) have informed WaterISAC that there is no evidence that an attack took place and question whether the pump failure had anything to do with a cyber incident.
In any event, the authorities continue to investigate, and WaterISAC will report to members any information indicating that an attack did take place.
Nevertheless, this is an opportune time to note there are a number of cyber/industrial control system security resources on the WaterISAC secure portal at www.waterisac.org. Particularly, log in to the portal and enter "cyber security webinar" in the search bar.
Please let me know if you have any questions in the interim.
The utility, however, has already acknowledged it was hacked, so the WaterISAC is certainly behind the times:
The McAfee Report, In the Crossfire Critical Infrastructure in the Age of Cyber War states: “The water/sewage sector had the lowest adoption rate for security measures protecting their SCADA/ICS systems.” This would imply a lack of security awareness by the water industry. Many water utilities rely on the WaterISAC for early warning and without this warning assume they are not at risk. Shouldn’t the WaterISAC rethink the timeliness and adequacy of their response to help protect their members?
This is not the first time the WaterISAC has not addressed control system cybersecurity issues in an adequate or timely manner.