A cyber strike launched from outside the United States hit a public water system in the Midwestern state of Illinois, an infrastructure control systems expert said on Friday.
“This is arguably the first case where we have had a hack of critical infrastructure from outside the United States that caused damage,” Applied Control Solutions managing partner Joseph Weiss told AFP.
“That is what is so big about this,” he continued. “They could have done anything because they had access to the master station.”
The Illinois Statewide Terrorism and Intelligence Center disclosed the cyber assault on a public water facility outside the city of Springfield last week but attackers gained access to the system months earlier, Weiss said.
The network breach was exposed after cyber intruders burned out a pump.
“No one realized the hackers were in there until they started turning on and off the pump,” according to Weiss.
The attack was reportedly traced to a computer in Russia and took advantage of account passwords stolen during a hack of a US company that makes Supervisory Control and Data Acquisition (SCADA) software.
There are about a dozen or so firms that make SCADA software, which is used around the world to control machines in industrial facilities ranging from factories and oil rigs to nuclear power and sewage plants.
Stealing passwords and account names from a SCADA software company was, in essence, swiping keys to networks of facilities using the programs to control operations.
“We don’t know how many other SCADA systems have been compromised because they don’t really have cyber forensics,” said Weiss, who is based in California.
The US Department of Homeland Security has downplayed the Illinois cyber attack in public reports, stating that it had seen no evidence indicating a threat to public safety but was investigating the situation.
Word also circulated on Friday that a water supply network in Texas might have been breached in a cyber attack, according to McAfee Labs security research director David Marcus.
“My gut tells me that there is greater targeting and wider compromise than we know about,” Marcus said in a blog post.
“Does this mean that I think it is cyber-Armageddon time?” Marcus continued. “No, but it is certainly prudent to evaluate our systems and ask some questions.”