Water Pump Destruction Not Due To SCADA Hack

knifeyspooney writes "According to the Springfield State Journal-Register, the city's recent public water system failure was not caused by malicious activity. One water district trustee spoke this gem: 'First, they tell us that it's the first instance of cyber hacking in the entire world, and everyone goes nuts. Now, all of a sudden, they tell us it's not.'"

First instance?

[Aryden]

say what? first instance of cyber hacking? are you suuuuuuuure about that?

Re:First instance?

[md65536]

Yes.

There have been hacking instances somewhere in the world, in the past, probably. But this is the first one that's cyber.

Re:First instance?

[cribb]

They trendsourced it.

As MrEricSir once wrote: (http://tech.slashdot.org/comments.pl?sid=1174265&cid=27321897)

Def. trendsource
-verb: to solve problems using popular buzzwords

("The water utility trendsourced the cyberhack by integrating crowdsourcing with Agile methodologies automated with a SOAP communication layer.")

Re:First instance?

[Canazza]

water and SOAP. I lolled.

Re:First instance?

[7x7]

Wired still seems to think it was a hack, or at least something fishy is going on. http://www.wired.com/threatlevel/2011/11/scada-hack-report-wrong/

Re:First instance?

I lolled.

Thanks for... SHAAAAAAAARING!

Re:First instance?

[ColdWetDog]

Wired still seems to think it was a hack, or at least something fishy is going on. http://www.wired.com/threatlevel/2011/11/scada-hack-report-wrong/

If it isn't a hack, it's boring and won't give page views. It just has to be something nefarious.

Re:First instance?

[mcgrew]

I think what he meant was it was the first instance of cyber-hacking (is that phrase redundant?) against a SCADA system. Besides, that's the exact wording the media is using.

I live in Springfield, and the media reports are pretty contradictory. The reports in the last few days were that the company that designed the system had evidence of a successful hack and they were worried that the design company hack would lead the attackers to information that would let them in the system.

Two nights ago the local TV news (WICS 20) reported that they had uncovered evidence in the SCADA logs that indicated that they were penetrated, now they say otherwise.

All over a burned out pump. Nobody got hurt, no services were interrupted.

News reports are also saying it's in Springfield; it isn't. It's a water district in two tiny towns a few miles away. Here's a map.

Re:First instance?

[mangu]

They trendsourced it.

Pheww! At first I read it as transsourced and thought, but, but, there is no word such as transsource. A quick search confirmed this.

But OK, if it's trendsource then that's a real word.

Oh, wait...

Re:First instance?

[Anne+Thwacks]

Springfield? what did Homer Simpson say it was?

Re:First instance?

[ediron2]

Correction: Wired says Joe Weiss thinks it was a hack, or that at least something fishy is going on.

Ask a wide cross-section of SCADA geeks what they think of Joe.

Re:First instance?

obviously stuff like stuxnet doesn't count cause America made it, and wasn't the victim.

Re:First instance?

[mcgrew]

It wasn't even reported if his sister in law had anything to say about it, but it wasn't a CWLP pump, a little town five or so miles outside Springfield.

Manipulating the stupid masses through media.

[unity100]

simple. you tell that it is due to cyberhack. everyone goes nuts, endless number of articles spread throughout internet. then you admit that it wasnt. at this point it is now impossible to change misinformation. the misinformation spreads, public opinion is shaped. you can pass your $OPA act.

http://www.abc.net.au/science/articles/2011/07/11/3265013.htm

http://idle.slashdot.org/article.pl?sid=10/07/14/1235220

Re:Manipulating the stupid masses through media.

Isn't all that tinfoil a little scratchy?

Re:Manipulating the stupid masses through media.

I'm sorry, but it is not beyond the imagination to create a situation to bring about policy change and thereby create new money flows. Look at the US Patriot Act, TSA, the military-industrial complex, "war" on drugs, "war" on the poor, etc.

Or just call it lobbying, in general.

Re:Manipulating the stupid masses through media.

Of course not. Everyone knows a tin foil hat doesn't work properly if it is too wrinkled.

Re:Manipulating the stupid masses through media.

[Hijacked+Public]

I'm a big fan of good evidence but if you don't read Leo Strauss and discover that a critical component of neo-conservatism is having an enemy to unite people against, then find out that an entire war launched by neo-cons that dumped billions into the pockets of neo-con friendly businesses was based on entirely fabricated evidence against the enemy, then wonder if some elements of governments might be willing to engage in extreme hoodwinking to get what they want....maybe you are in denial.

Re:Manipulating the stupid masses through media.

No, it's standard intelligence agency methodology, for those who aren't naive.

Re:Manipulating the stupid masses through media.

[Hentes]

Well this tactic worked in Roswell, a lot of people still believe it was an UFO.

Re:Manipulating the stupid masses through media.

[Dishevel]

Thank you.
I like how easy it is to decide decide to completely dismiss someones statements based on a single hint.
The "Neo-Cons" did it with the help of the "Jews".

Please continue to use the term Neo-Con so as to warn the rest of us that you are to be ignored.

Re:Manipulating the stupid masses through media.

[mcgrew]

Eh, it was Rority. Drunk and stoned, as usual.

Re:Manipulating the stupid masses through media.

[unity100]

while neo cons are using the term 'neo con' for themselves, openly and proudly in party speeches, only a moron would come up and try to deny the existence of their entire faction.

Re:Manipulating the stupid masses through media.

Really? I'd like to know who and when.

"Neo cons" aren't conservative. They're liberals in disguise. Neo = New. Conservatism is, by definition, sticking to what we've been doing, not doing something "new". "Neo Conservative" is a contradiction of terms and anyone who uses it is a moron, or at best ignorant.

Re:Manipulating the stupid masses through media.

[unity100]

im sure cheney, bush et al are actually caring for your redefinition of political termage ....

Re:Manipulating the stupid masses through media.

Redefinition? I'm not redefining it. Feel free to read up on the actual meaning of the term.

http://en.wikipedia.org/wiki/Neoconservatism

The term "neoconservative" was popularized in the United States in 1973 by Michael Harrington ... Harrington applied the term "neoconservatism" to the policy writings by Daniel Bell [His most influential books are The End of Ideology (1960), The Cultural Contradictions of Capitalism (1976) and The Coming of Post-Industrial Society (1973).], by Daniel Patrick Moynihan [Daniel Patrick "Pat" Moynihan (March 16, 1927 – March 26, 2003) was an American politician and sociologist. A member of the Democratic Party...], and by Irving Kristol ... The term neoconservative, which originally was used by a socialist to criticize the politics of Social Democrats, USA, has since 1980 been used as a criticism against proponents of American modern liberalism who had "moved to the right".

This is the FBI

[Oswald+McWeany]

Good morning Mr. Mayor,
this is special agent Smith.

Yes, we'd like you to say the water pump malfunctioned and wasn't hacked.

No, no, I know about the truth, Mr. Mayor, but we don't want the public to be aware of the dangers they are in from exploding water towers and militarised telephone cables... or to encourage copycat hackers.

Yes, yes... just say it was normal wear and tear.

Oh, you're not going to comply?.. are you aware that we have an unauthorised GPS under your car and know what you do Tuesday nights? ... ahh I'm glad you see things our way.

Re:This is the FBI

[geekoid]

Too bad that makes no sense what so ever.

Re:This is the FBI

It does when you realize you're only hearing what Agent Smith is saying

Re:So, the question is....

No. It was a revised statement based on new information. That's still allowed, right?

Y'all missed a critical paragraph in TFA

"How can two government agencies be so at odds at what’s going on here? Did the fusion center screw up, or is the fusion center being thrown under the bus?” commented Joe Weiss, the security expert who discovered the initial Fusion Center report and reported on it. “There’s a lot of black and white stuff in that report. Either there is or there isn’t a Russian IP address in there. It’s hard to miss that."

Re:Y'all missed a critical paragraph in TFA

[Nethemas+the+Great]

Don't worry clarification is only 20 years away.

Re:Y'all missed a critical paragraph in TFA

[Bardwick]

Watch the attempted connections to any machine on a public IP. Probably takes about 20 minutes to get an IP from every country in the world.

Re:Y'all missed a critical paragraph in TFA

Mod parent up. This is a very important point. These agencies aren't talking to each other very well.

Re:Y'all missed a critical paragraph in TFA

[WaffleMonster]

"How can two government agencies be so at odds at whatâ(TM)s going on here? Did the fusion center screw up, or is the fusion center being thrown under the bus?â commented Joe Weiss, the security expert who discovered the initial Fusion Center report and reported on it. âoeThereâ(TM)s a lot of black and white stuff in that report. Either there is or there isnâ(TM)t a Russian IP address in there. Itâ(TM)s hard to miss that."

One explanation could be their ras computer was one of millions which happened to be part of a random botnet army.

Someone looking into what had happened incorrectly linked their problem to discovery of the botnet. Not unlike blaiming the compiler, cosmic rays, the rain...etc..it was a knee jerk by someone lacking intelligence to follow thru with a proper investigation.

The "apparently" reference in regards to hacked vendors password lists also red flagged in my mind that the morons managing the system were just pulling magic unicorns outta their asses and had no clue what was going on.

Whenever there are fillers with unrelated incidents (hacker confessions) which seek to establish a trend in the readers mind that is a good time to make sure the trusty ole BS meter is still working.

Re:Y'all missed a critical paragraph in TFA

[Vellmont]

Either there is or there isn’t a Russian IP address in there. It’s hard to miss that.

An ip address is some unnamed log file that someone says is Russian tells you exactly nothing about whether a system was compromised. Was that just somebody running a scan near the same time the pump broke, or did you just get 0wned? A simple log file of network traffic won't tell you that. Anyone who's ever looked at network log files knows there's scans of your IP addresses going on constantly. In any forensic investigation it's rarely or never really a series of black and white. It's always open to interpretation.

Re:Y'all missed a critical paragraph in TFA

[Arrepiadd]

Riiiiiiiight... Correct me if I'm wrong, but a "connection attempt" won't be enough to take down any system.
Getting a Russian IP address to attempt to connect at your SSH port is one thing, getting a Russian IP address successfully entering your machine and "doing stuff" is something totally different.

If this was all because of an IP logged as failing access then that's one thing. Having heard earlier in the week that the password was 3 characters long, I kind of doubt that...

Re:Y'all missed a critical paragraph in TFA

Read the report.

  "In addition, DHS and FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported."

The key phrase is: ...there was no malicious or unauthorized traffic....

The pump failed all by itself. The inbound traffic was authorized and expected. The utility company overacted as did local law enforcement.

Once someone screams "Hack" you can't get the genie back in the bottle.

Re:Y'all missed a critical paragraph in TFA

[Arrepiadd]

Are we all just into saying crap nowadays?

Who the hell does intrusion detection by (simply) analyzing network traffic and port scanning? Here's a line from a log file in a certain machine I have access to:

Nov 21 18:20:46 ccc sshd[2549]: Accepted keyboard-interactive/pam for <USER> from <aaa>.<bbb>.58.34 port 64715 ssh2

(I replaced the username and part of the IP address for security and privacy reasons)
In this case, the user logged in successfully. If it was unsuccessful, it would also be logged. If it's an attempt at an invalid user, it's also log. So... tell me how is it hard to miss an actual connection from Russia, as compared to a script kiddie's unsuccessful attempt at finding the root password by trying a few common passwords?

Re:Y'all missed a critical paragraph in TFA

[mcgrew]

Different attack; this was in a little town a few miles outside Illinois' capital city, the one with the three letter password was in Texas (go figure).

Re:Y'all missed a critical paragraph in TFA

[Vellmont]

Who the hell does intrusion detection by (simply) analyzing network traffic and port scanning? Here's a line from a log file in a certain machine I have access to:

Maybe the same idiots who put a SCADA system accessible over the internet?

The truth is we have no idea where the alleged "russian IP address" came from. You making up an SSH log is pure bullshit. Was it an intrusion detection system, or was it a firewall log? Nobody is saying. The OP seemed to think this was very simple, with an IP address somehow being a definitive answer to whether the system was broken into, and the breaking being definitive evidence of the pump being caused by the alleged breakin.

My advice would be to stop making things up, and rely on actual facts. There's almost none of those now, so you can say just about anything and get away with it. The facts are the the FBI has said the claims the machine was hacked is utter bullshit.

My money is on the idiots who who thought it was a good idea to put a SCADA system for a public water supply on the internet aren't exactly the people you want conducting a security investigation. I don't exactly trust the FBI, but they're not really known to back away from high profile cases and claim there wasn't any crime. If you want evidence of the FBI being over-zealous in trying to find crimes where non occurred, just ask Steve Kurtz

Sowing the seeds of cyberwar profiteering?

[Dega704]

While I don't think that threats like these are nonexistent, they are still extremely overblown, and the media jumps on them at a moment's notice. My biggest concern is that this could be the beginning of the military industrial complex evolving to exist on the internet.

Re:Sowing the seeds of cyberwar profiteering?

[Synerg1y]

Yep, we haven't had a good cyber war yet, I'm sure the Chinese hackers are itching for it.

Re:Sowing the seeds of cyberwar profiteering?

we haven't?

Re:Sowing the seeds of cyberwar profiteering?

[hellkyng]

I'm not sure they are overblown at all, stuxnet being the poster child for this as it actually impacted real world nuclear reactors. Another example being the guy using the handle pr0f that hacked a SCADA system the same day as this water pump and offered conclusive evidence to the fact. If stuxnet was deployed as a method to weaken the security capabilities of a perceived enemy, then it strikes me as a tool of war. I'm pretty sure though what everyone is calling "cyber-war" is likely to evolve into "war-prep" or steps we take prior to landing boots on the ground.

Re:Sowing the seeds of cyberwar profiteering?

[Tekfactory]

Well stuxnet affected Programmable logic controllers that affected centrifuges refining nuclear material. I was at a conference recently and half the talks were about stuxnet, duqu and PLCs, the show was not energy or utility industry related, but basically anything with a PLC is vulnerable to this sort of attack.

There were a lot of folks in industry talking about how uncertain they were about how tight their air-gaps were. Stuxnet got past air-gaps anyway, but at least a lot of the industrial controls folks are talking about it now. It would have been nice if someone listened when US-CERT reported researchers were able to remotely burn out an electrical generator in 2005.

Re:Sowing the seeds of cyberwar profiteering?

but basically anything with a PLC is vulnerable to this sort of attack.

Anything with a PLC that happens to have a connection to the outside world. Put a PLC on a machine, don't give it network or serial access to anything, and I challenge anyone to make it do anything it's not explicitly programmed to do.

Now what *can* happen is that someone connects an infected PC to it when loading/updating a program on it and something nasty gets sent over as well, but there are fairly simple technical and administrative solutions to that problem as well.

Re:Sowing the seeds of cyberwar profiteering?

[mcgrew]

While I don't think that threats like these are nonexistent, they are still extremely overblown, and the media jumps on them at a moment's notice.

That's the media for you. If a system or systems were attacked on a daily basis, you wouldn't hear a peep out of the media. Dog Bites Man isn't news, Man Bites Dog is. Airline crashes are covered so often by the media because they're rare, not because they're common.

Re:Sowing the seeds of cyberwar profiteering?

[couchslug]

"My biggest concern is that this could be the beginning of the military industrial complex evolving to exist on the internet."

The military industrial complex invented the internet.

Re:So, the question is....

[Moheeheeko]

Yes, but we would prefer if government agencies didn't jump to outrageous conclusions before all the information is gathered.

Dam cyberhackers

[Hentes]

The three-letter passwords can withstand regular hackers, but noone could expect that the mighty cyberhackers were coming!

Re:Dam cyberhackers

[Zocalo]

Your "dam[sic] cyberhackers" can't have been that mighty if they managed to confuse a water pump for the whole frickin' dam.

Re:Dam cyberhackers

[Samantha+Wright]

Oh god. I didn't even cyber-notice that. What is the cyberworld cyber-coming to?

Re:Dam cyberhackers

Your "dam[sic] cyberhackers" can't have been that mighty if they managed to confuse a water pump for the whole frickin' dam.

Old Engineering saying: Damn the decimal point.

Re:Dam cyberhackers

Don't you mean "bizarro-coming to?"

Re:Dam cyberhackers

cyber-crime, my friend.. cyber-crime.

It wouldn't be the first

[bytesex]

Subject says all.

Cyber-hacking

I am not familiar with this term.

screenshots prove nothing...

[FrozenFood]

As an actual control systems engineer who uses the Siemens Simatic range of PLC/HMI/Servo drives, it doesnt take a two year old who knows how torrents works to download the WinCC flex HMI programming software, throw together a few screens with some built in clipart of pumps and generators and claim he has hacked a city's water supply... or uranium plant, or Area 51 air con system..

Of course

"You don't need to see his identification... These aren't the droids you're looking for."

Re:So, the question is....

No! That's called "flip-flopping" now and is grounds for ridicule. You're supposed to be born with perfect information just like Jesus was.

Help a /.er out

[Nexzus]

This reminds of a story I read in a newspaper at least 18 years ago that maybe was an excerpt from a book. Hoping someone could get me a name, or some other details.

Here's what I remember:

It was focused on a hacker. One of his crimes, he was able to remotely take over the operation of a dam, controlling its spillways, although I don't think he ever did any damage. When the authorities found the guy, his fingers were described as curled backwards from endless hours at a keyboard, and he was living in filth. I also remembered that in one of the authority's monitoring sessions, there was 45 minutes of uninterupted y's coming from the guy's terminal. Turns out he had fallen asleep on his keyboard.

I know, not much to go on. I read it as a child, and even though I wasn't really into computers at that time, I was still fascinated by it.

Re:Help a /.er out

It was focused on a hacker. One of his crimes, he was able to remotely take over the operation of a dam, controlling its spillways,

If it was done by whistling into a phone, it was probably about Kevin Mitnick.

Re:Help a /.er out

You sure he fell asleep on his keyboard?

anonymouscoward@slashdot.org:/home/anonymouscoward$ yes
y
y
y
y
y
y
y
y
y
y
y
y
y
y
y
y
y
y
y
y
y
y
^C

And apparently I need some longer lines in this post. WTF Slashdot, it's not spam if it's relevant.

Re:Help a /.er out

[fotoguzzi]

The book is called @Large.

http://books.simonandschuster.com/At-Large/David-H-Freedman/9780684835587 Cuckoo's Egg might be the classic popular text from that era.

http://www.amazon.com/Cuckoos-Egg-Tracking-Computer-Espionage/dp/0743411463

Re:Help a /.er out

[Nexzus]

Aye, that's the one. Thank you kindly.

plenty more to come

Plenty more where that came from. See http://isc.sans.edu today

These Are Not

[KingPin27]

I cant help but think to myself ----- "these are not the droids you are looking for" -- Honestly too weird for me hackers, no hackers, makes no nevermind to me.

I'm in ur ladder...

...fryin ur pump!

Tinfoil Conspiracy

[q.kontinuum]

I posted this before, but the fight against this conspiracy is not over yet!
Any nerd claiming to wear a tinfoil head is either a wannabe or part of the tinfoil conspiracy!!11! It is so obvious that tinfoil hats might cover you from alleged hostile brain control waves from sattelites thousands of kilometeres awas, but otoh forms a nearly parabolic antenna to the whole communication wires and infrastructure below pedestrian lanes just a couple of meters away. And coincidentally only relevant people will be affected, since only they are likely to wear - wait a minute, there is someone knocking at my door, I will write more. later.

Preston

[oldmac31310]

A cyber what?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Weather balloon

Marsh gas. We're sorry the lieutenant told you the truth at first. He's new.

Never ...

[Akita24]

Never attribute to malice that which can be attributed to stupidity. Stupidity is much more common.

Re:Never ...

[mcgrew]

Hanlon's Razor (attributed to Heinlein). However, Never attribute to stupidity that which can be attributed to greedy self-interest. Somebody sold the water company a new pump, and the old one was fairly new.

Now, if the pump was covered under warrantee, Heinlein comes into play.

detailed analysis by DHS

[sl4shd0rk]

"...detailed analysis by DHS and the FBI has found no evidence of a cyber intrusion or any other malicious activity."

All this means is professional spin doctors were called in as damage control.

First off, there is a cracker out there with screen dumps from another cracked SCADA system. Coincidence? Yeah, right.

Secondly, the compromise was originally believed to have been the result of the SCADA vendor being cracked. Also, an IP address from a Russian source was found. If there was no compromise, I would still really be interested as to why a Russian IP address was found connecting to US infrastructure.

Thirdly, the cracker's pastebin post* sounds quite accurate of the DHS in general:
"...the DHS tend to downplay how absolutely FUCKED the state of national infrastructure is."

* - http://pastebin.com/Wx90LLum

Sometimes, a cigar is ONLY a cigar...

It probably wasn't an attack in the first place. (WE TOLD YOU SO!!!)
This has NOTHING to do with the "national infrastructure".
We have been telling people that have SCADA systems, "UNPLUG your SCADA network from the Internet, except for when your SI needs access. The minute he is done, unplug it again."
Simple. Problem solved.

OMG

[fsckmnky]

"She turned me into a newt!" ... "I got better."

These are not the ...

[Virtucon]

Obi-Wan: These aren't the droids you're looking for.
Stormtrooper: These aren't the droids we're looking for.
Obi-Wan: He can go about his business.
Stormtrooper: You can go about your business.
Obi-Wan: Move along.
Stormtrooper: Move along... move along.

STUXNET

Am I missing something, or when the US hacked Iran's system with Stuxnet - wasn't that the FIRST cyber hack? The US military smiled when asked if they commited the Stuxnet attack.

AC

screen shots....

[generic]

http://pastebin.com/Wx90LLum

Re:So, the question is....

Yes, but we would prefer if government agencies didn't jump to outrageous conclusions before all the information is gathered.

They didn't. I remember the original article. It was being investigated as a possible cyberattack. Possible was right in the title of the article. It was folks on Slashdot who repeatedly acted like it was a proven attack. Check out the discussion yourself. Here's the start of the summary.

Federal officials confirmed they are investigating whether a cyber attack may have been responsible for the failure of a water pump at a public water district in Illinois last week. But they cautioned that no conclusions had been reached, and they disputed one cyber security expert's statements that other utilities are vulnerable to a similar attack.

Sounds like they not only didn't jump to conclusions, but they ask everyone else not to as well. Yet do they get any credit for that? No. There are a bunch of modded up comments saying they lied to create more enforcement laws.

Astonishing

DHS clearly had the upper had to issue a "Propagande" claiming otherwise and much worse.

DHS Sec could have advised Obam to "go-code" country kill oder -- essentially condeming a countries population to nuclear death at the whim of a dictator ... dictator Obama.

But DHS did not follow or do this.

Why?

Why, when it is in there deepest and heartfelt interst to kill every, except themselves, USA citicen, when they espouse through there propaganda organs that ALL USA citizens, except themselves, are ENEMY COMBATINTS

But the astonishing Earth shattering fact is that THEY did not go this insane route ... WHY?

WHY? when they have enough evidence to BLACKMAIL every CEO, CFO and Boards of every Corporation residing in the USA!

WHY" when they have the USA Supreme Court in their hip pocket thanks to Obama!

WHY" when they espouse the killing and at least the debouchery of citizens in open contempt of local, state and Federal and International Laws! ... AH HA ... UC Davis!

Wonders of Wonders!

Ien Vunder!

It's a Miricle!

We should have a "Occupy the Chancellor's House" moment. A gallon of kerocen and a bick will do nicely.

AAAAA

+

Re:So, the question is....

[sjames]

Now we just need to make sure the new information isn't that they might have to cut back on fondling children in the airport and start doing actual hard work if the public gets concerned about the SCADA thing.

Local government incompetence?

[Bagok]

Whether or not this is was a hack it points to incompetence (in both the original incident and the followup investigation). This is not the first case of incompetence in Springfield's "City Water, Light and Power" division. I recall two weeks in the early 80s where the entire town was ordered to boil tap water before drinking (and avoid getting water in your eyes and mouth while bathing) because of high levels of ecoli contamination. CWLP workers ran around sampling water from all over the system for several weeks before they discovered their own lab was contaminating the samples. Springfield has a commissioner government where elected officials run various departments (Streets, CWLP, others I can't recall) with an elected mayor acting as a figure head. Commissioners are re-elected year after year as long as they *seem* competent and are generally well liked. I always thought it was strange system and I've never seen another local government run this way. I wonder if it is inherently more likely to have catastrophic failures than say, an aldermann/city council/city manager.