Earlier this month hackers accessed the control system of a water utility in Springfield, Illinois via a Russian IP address and caused a water pump to malfunction and eventually fail, according to reports. This would have been the first known kinetic cyberattack on U.S. soil except for one catch: It didn’t happen.
The media frenzy began on November 18, after security consultant Joe Weiss posted to his blog details from an Illinois state intelligence center report that described the alleged attack. Weiss noted that the “IP address of the attacker was traced back to Russia” and that “the SCADA system [which controls plant equipment] was powered on and off, burning out a water pump.”
“This is a big deal,” Weiss told the Washington Post. “It was tracked to Russia. It has been in the system for at least two to three months. It has caused damage. We don’t know how many other utilities are currently compromised.”
While the Department of Homeland Security said at the outset that the report contained “no credible corroborated data,” some took it as fact.
Columbia computer science professor Steven Bellovin wrote that although many have begun to believe that such cyberattacks are possible, some are still skeptical. “That debate is now over: we have an existence proof,” he wrote. “All future debate has to start from this fact: the threat is real. We can argue over magnitude, but not over the possibility.”
Discussing the attack on MSNBC, Rep. Jim Langevin (D-RI), founder of the Congressional Cybersecurity Caucus, said he didn’t think that owners and operators of utilities are taking cyber threats seriously enough. “The potential attack that took place in Springfield, Illinois, should be a real wakeup call,” he said. Langevin is the author of a bill now before Congress that would give DHS the power to regulate the security of private utility networks.
A few days later, however, a completely different pictured emerged.
“After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois,” investigators said in a statement just four days after Weiss’s initial blog post. “In addition, DHS and FBI have concluded that there was no malicious traffic from Russia or any foreign entities, as previously reported.”
So where did the Russian connection come from? The Washington Post now reports the malfunction was in fact caused by a contractor who had authorized remote access to the control system. He happened to be traveling in Russia on personal business.
A couple of lessons stand out from this dramatic week in cybersecurity. First, we shouldn’t jump to conclusions based on sketchy first reports of cyberattacks. Bad reporting tends to take on a life of its own. Two years ago, an electrical blackout in Brazil was similarly blamed on hackers, but the cause turned out to be nothing more than sooty insulators. That hasn’t stopped pundits, defense contractors and politicians from citing the debunked incident as evidence that we need comprehensive legislation to regulate Internet security.
Second, although Bellovin was mistaken in believing the initial reports, he’s right that such an attack is possible. The discussion should be about the possible magnitude of attacks and what can be done to prevent them. Although the rhetorical engines of those who want new cyber-legislation were spinning into overdrive before the facts abruptly shut them down, this incident, if it had been a cyberattack, would not have shown a dire need for new rules. Instead, it showed that the damage was not catastrophic and that the water utility worked well with federal authorities under existing law.
So next time you read reports of cyberattacks that can “spill oil, vent gas, blow up generators, derail trains, crash airplanes, cause missiles to detonate,” among other things, you should consider taking a teaspoon of salt.