The Illinois Water Hack Is a Test of the System for Disclosure – Is It Broken?

My blog on the Illinois water hack was directly based on a formal disclosure announcement by the Illinois State Terrorism and Intelligence Center - STIC (Note: My blog did not identify the state involved. That disclosure came from DHS). The STIC disclosure was made on November 10; my blog was on November 17 after numerous water organizations told me they were unaware of the disclosure. The STIC report appeared to rely on the input from the utility with the exception of this STIC Analytical Comment: "It is unknown at this time the number of SCADA usernames and passwords acquired from the software company's database, and if any additional SCADA systems have been attacked as a result of this theft." It is unclear if the other SCADA system integrators' customers have been notified. However, this strongly implies that timeliness in notification is critical.
The DHS statement released recently appears to conflict with the STIC report and its positive statements that an event had occurred. This begs the question why two government agencies disagree over whether a cyber event that damaged equipment had occurred at a water utility.  Yesterday, a note was sent from DHS-sponsored ICSJWG stating they were notified about the STIC report on November 16. Why did it take so long for them to be notified? In addition, on Nov. 18 on a local TV station, the general manager of the water utility confirmed that it had been hacked with resulting damage to a water pump.
The intention of my blog was to highlight a concern that information is not being disseminated in a timely manner. Here we have a formal report of a cyber event that caused damage to equipment in the water infrastructure, yet no one else in the infrastructure is aware that anything has occurred. In addition, we now have two government agencies disagreeing whether any type of cyber event had indeed occurred.

There are numerous critical infrastructure table-top exercises that assume that notifications such as the STIC report are sufficient to initiate the cyber attack response process. If DHS turns out to be correct in its assumptions, then anyone acting on the STIC warning would have been wasting precious resources addressing a problem that doesn’t exist. At issue is that we need to be quickly informed if an event has occurred so that others who have similar equipment or architectures can take steps to protect themselves in case the event spreads. However, this requires both timely notification and correct information. Right now, it seems that neither of these two conditions may exist in this case.

We now have to wait for DHS and the other government agencies to come to agreement and let us know what has happened. If the STIC report is correct, then we have wasted precious time and allowed many others in the infrastructure to remain potentially vulnerable while we wait to find out if we should do anything.

What can be done to address these issues?

Joe Weiss