Foreign hackers broke into a water plant control system in Illinois last week and damaged a water pump in what may be the first reported case of a malicious cyber attack on a critical computer system in the United States, according to an industry expert.
On Nov. 8, a municipal water district employee in Illinois noticed problems with the city’s water pump control system, and a technician determined the system had been remotely hacked into from a computer located in Russia, said Joe Weiss, an industry security expert who obtained a copy of an Illinois state fusion center report describing the incident.
The city affected was Springfield, Ill., according to the U.S. Department of Homeland Security.
Problems with the system had been observed for two to three months and recently the system “would power on and off, resulting in the burnout of a water pump,” the Nov. 10 report from the statewide terrorism and intelligence center stated, according to Weiss, who read the report to The Washington Post.
“This is a big deal,” said Weiss. The report stated it is unknown how many other systems might be affected.
According to the report, hackers apparently broke into a software company’s database and retrieved user names and passwords of various control systems that run water plant computer equipment. Using that data, they were able to hack into the plant in Illinois, Weiss said.
It’s not the first time that two-step technique — hack a security firm to gain the keys to enter other companies or entities — has been used.
Earlier this year, hackers believed to be working from China stole sensitive data from RSA, a division of EMC that provides secure remote computer access to government agencies, defense contractors and other commercial companies around the world. Armed with that data, they breached the computer networks of companies, including Lockheed Martin, whose employees used RSA “tokens” to log in to the corporate system from outside the office. Lockheed said that no sensitive data were taken.
“RSA is the gold standard” for remote access security in industry, said Gen. Keith Alexander, head of U.S. Cyber Command and director of the National Security Agency, at a conference in Omaha this week. “If they got hacked, where does that leave the rest?”
Alexander noted his concern about “destructive” attacks on critical systems in the United States.
The Department of Homeland Security, whose job is to oversee the protection of critical infrastructure such as water utility computer systems in the United States, said that DHS and the FBI are investigating the Illinois incident. “At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety,” DHS spokesman Peter Boogaard said in an e-mailed statement.