Wow, OK. So it was just an old pump in bad condition that failed due to lack of maintenance or some such. And the "hacking" was a legitimate employee accessing the system from Russia where he was traveling and had no connection whatsoever with the pump failure. But they didn't bother to verify this. They just checked logs, found a Russian ip address, and without doing an investigation started shouting "Russian Terror Attack!" and went to full on red alert.
Well at least they managed to create a lot of publicity in the international press about how their systems are on the internet and use three letter passwords which may or may not be the default three letter password set at the factory. That information should be helpful to someone I guess.
But they didn't bother to verify this. They just checked logs, found a Russian ip address, and without doing an investigation started shouting "Russian Terror Attack!" and went to full on red alert.
As plausible as that is, it doesn't sound like that's quite what happened here (emphasis mine):
"Federal officials confirmed that the FBI and the Department of Homeland Security were investigating damage to the water plant but cautioned against concluding that it was necessarily a cyber-attack before all the facts could be learned. “At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety,” said DHS spokesman Peter Boogaard."
"News of the incident became public after Joe Weiss, an industry security expert, obtained a report dated Nov. 10 and collected by an Illinois state intelligence center that monitors security threats. The original source of the information was unknown and impossible to immediately verify."[1]
The article (and seemingly all of the others) go on to cite Weiss as the sole source for the claim that it was a hack and "a big deal". From his blog post[2] and more recent posts it sounds like the report he had obtained claimed it was a hack and he publicized it "to highlight a concern that information is not being disseminated in a timely manner", which I suppose is the opposite of full on red alert.
I think Weiss was probably trying to make a good point (if you believe the DHS, then not only wasn't information getting disseminated, it was also wrong information) but the press ran with the sexier "We're getting hacked by Russia!" aspect even without verification.
This proves again how tremendously paranoid we have become in the west. Everything is an attack, and more generally a reason to distrust each other more. Even if the blame is on ourselves for disregarding maintenance.
(not to say that they shouldn't have used a better password, but please, please media stop shouting "cyberwar!!!" at each possible instance)
I'm going to give this the hand-in-the-air rocking-back-and-forth "ehhhhh, welllll" treatment. The media has freaked out about "hackers" more or less continously for the past 30 years. It's not new.
Remember, The Hacker Crackdown [1] is from 1992, and the news then was still not that the media freaked out about this sort of thing, but the huge arrest wave it represented.
But it did change. "hackers" used to be kids, tricksters and sometimes even criminals. Now, it's "cyberwar", and foreign countries are supposed to be involved even in the most trivial hack. Ooh they used a Chinese proxy so it must be the Chinese!
So if I route my traffic through a Russian host, suddenly it becomes a terrible danger? Sounds like a pretty badly informed investigation team, who leaped to conclusions without justifying their claims properly.
I can't even imagine what kind of abysmal state of security must be employed when a "security expect" can't see any difference between a legitimate access to the system and a cyber attack and then eventually come to conclusion that it was a typical hardware failure.
Truth is, most/many publicly accessible (or even private) technological infrastructures it's very difficult to discern between external attacks and self-inflicted damage, or even system/component failures.
It's probable that you're under a constant low-level attack -- bots and script kiddies at the very least. If your infrastructure's interesting enough, there may even be targeted attacks. Your own ops / eng team is probably your biggest threat (just plain shit happening, though intentional damage does happen). Parts breaking, or various buckets overflowing generally don't help matters much. Since you're talking about a system with usually at a minimum hundreds of discrete subsystems, let alone the number of physical components, interconnects, and external dependencies, it's difficult to monitor it all let alone have a solid sense of what's going on. Your best bet is some overall metric of system/site health.
I worked for ... a large Internet presence where an apparently unauthorized access to an admin tool (unknown username) and resetting of system parameters was traced (with the help of the internal security team) ... to our own office. The dipshit doing this sat two chairs over but hadn't piped up during several days' worth of "WTF is going on / who's accessing this system as 'username'".
"Last week I wrote a story on the compromise of an industrial control system in Illinois that destroyed a pump at a water processing facility. The same day a hacker came forward and posted internal information on pastebin.com from another compromised utility in South Houston, Texas."
"Within hours of publication I was contacted by the hacker involved in the Texas incident and I was able to ask him a few questions via email about the state of critical infrastructure security."
Well at least they managed to create a lot of publicity in the international press about how their systems are on the internet and use three letter passwords which may or may not be the default three letter password set at the factory. That information should be helpful to someone I guess.