DHS's statement on the Illinois water incident is: "After detailed analysis of all available data, ICS-CERT and the FBI found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois." The point of the statement was "no evidence". That means not only could they not confirm a cyber intrusion occurred, they could not confirm a cyber intrusion did not occur.
Currently, there is a lack of CONTROL SYSTEM cyber security forensics and logging. Additionally, Intrusion Detection Systems (IDSs) are designed to identify known IT cyber security attacks, not control system attacks. For Curran-Gardner, logging did not exist for control signals from the SCADA to the pumps. Consequently, it is currently not possible to validate whether the pump burnout was from control signals sent to the pumps or the cycling on and off of the SCADA system. This is not just a problem with a small water utility such as Curran-Gardner, but also applies to the largest utilities and other industrial facilities.
Control systems are engineering systems that should operate in an expected manner. Most of the 200+ control system cyber security incidents in my database were not identified as cyber incidents. Specific examples include:
- The Hatch nuclear plant shutdown which was caused when IT workstations were effectively rebooted. No one realized a programmable logic controller (PLC) was electronically connected to the IT workstations resulting in the shutdown of all condensate pumps in the plant and a consequent forced shutdown of the nuclear plant. There are no control system cyber security logs for this type of incident.
- The Moroochyshire, Australia wastewater hack was not recognized as a hack the first 20 times the disgruntled ex-system integrator hacked into the water treatment discharge valves spilling more than 1 million liters of raw sewage.
- A water utility in the Southwest inadvertently pumped water from a Superfund contaminated well into the drinking water system. There were no control system cyber security logs or cyber forensics. Stuxnet attacked the configuration files of Siemens PLCS and currently there is no logging or forensics to identify compromised Siemens controllers.
What is necessary is to train control system engineers to recognize off-normal operation of their systems and then to perform engineering/security analyses.
Among the lessons-learned of 9-11 were the failure of imagination on the part of law enforcement and the intelligence community and the lack of "connecting the dots". Both of these issues appear to be in play in the DHS statement.
What more should be done to protect our critical infrastructures?
Joe Weiss
