

Water-pump failure in Illinois wasn’t cyberattack after all - lsr7
http://www.washingtonpost.com/world/national-security/water-pump-failure-in-illinois-wasnt-cyberattack-after-all/2011/11/25/gIQACgTewN_story.html?hpid=z3

======
droithomme
Wow, OK. So it was just an old pump in bad condition that failed due to lack
of maintenance or some such. And the "hacking" was a legitimate employee
accessing the system from Russia where he was traveling and had no connection
whatsoever with the pump failure. But they didn't bother to verify this. They
just checked logs, found a Russian ip address, and without doing an
investigation started shouting "Russian Terror Attack!" and went to full on
red alert.

Well at least they managed to create a lot of publicity in the international
press about how their systems are on the internet and use three letter
passwords which may or may not be the default three letter password set at the
factory. That information should be helpful to someone I guess.

~~~
munin
any time someone says something about "the attack came from X", you should
think back to this event

~~~
wladimir
This proves again how tremendously paranoid we have become in the west.
Everything is an attack, and more generally a reason to distrust each other
more. Even if the blame is on ourselves for disregarding maintenance.

(not to say that they shouldn't have used a better password, but please,
please media stop shouting "cyberwar!!!" at each possible instance)

~~~
jerf
I'm going to give this the hand-in-the-air rocking-back-and-forth "ehhhhh,
welllll" treatment. The media has freaked out about "hackers" more or less
continously for the past 30 years. It's not new.

Remember, The Hacker Crackdown [1] is from 1992, and the news then was still
not that the media freaked out about this sort of thing, but the huge arrest
wave it represented.

[1]: <http://www.mit.edu/hacker/hacker.html>

~~~
wladimir
But it did change. "hackers" used to be kids, tricksters and sometimes even
criminals. Now, it's "cyberwar", and foreign countries are supposed to be
involved even in the most trivial hack. Ooh they used a Chinese proxy so it
must be the Chinese!

------
jr62
So if I route my traffic through a Russian host, suddenly it becomes a
terrible danger? Sounds like a pretty badly informed investigation team, who
leaped to conclusions without justifying their claims properly.

~~~
msbarnett
The investigating team said that they were collecting information but had no
evidence that it was an attack.

The _media_ ran with the attack angle.

------
nikcub
the FBI said right away that they don't know it is a cyber attack yet. it was
the media and blogs that got carried away with the hot story.

------
jeffreymcmanus
Fake cyberattack is the new fake terrorist threat.

~~~
elliottkember
SOPA is the new Patriot Act?

------
stef25
So this is not the incident that pr0f confessed to being involved in?

[http://nakedsecurity.sophos.com/2011/11/22/interview-with-
sc...](http://nakedsecurity.sophos.com/2011/11/22/interview-with-scada-hacker-
pr0f-about-the-state-of-infrastructure-security/)

~~~
elliottcarlson
Obviously not, from the article:

"Last week I wrote a story on the compromise of an industrial control system
in Illinois that destroyed a pump at a water processing facility. The same day
a hacker came forward and posted internal information on pastebin.com from
_another compromised utility in South Houston, Texas_."

"Within hours of publication I was contacted by the hacker involved in the
_Texas_ incident and I was able to ask him a few questions via email about the
state of critical infrastructure security."

------
sakopov
I can't even imagine what kind of abysmal state of security must be employed
when a "security expect" can't see any difference between a legitimate access
to the system and a cyber attack and then eventually come to conclusion that
it was a typical hardware failure.

~~~
dredmorbius
Truth is, most/many publicly accessible (or even private) technological
infrastructures it's very difficult to discern between external attacks and
self-inflicted damage, or even system/component failures.

It's probable that you're under a constant low-level attack -- bots and script
kiddies at the very least. If your infrastructure's interesting enough, there
may even be targeted attacks. Your own ops / eng team is probably your biggest
threat (just plain shit happening, though intentional damage does happen).
Parts breaking, or various buckets overflowing generally don't help matters
much. Since you're talking about a system with usually at a minimum hundreds
of discrete subsystems, let alone the number of physical components,
interconnects, and external dependencies, it's difficult to monitor it all let
alone have a solid sense of what's going on. Your best bet is some overall
metric of system/site health.

I worked for ... a large Internet presence where an apparently unauthorized
access to an admin tool (unknown username) and resetting of system parameters
was traced (with the help of the internal security team) ... to our own
office. The dipshit doing this sat two chairs over but hadn't piped up during
several days' worth of "WTF is going on / who's accessing this system as
'username'".

Don't ask me how my Thanksgiving went.

------
rickmb
And this is how the next major war will start...

Seriously, this pretty much sounds like a test run to see if the media will
still take the bait without asking questions.

------
Vivtek
Quelle surprise.

------
DLWormwood
Next thing you know... the government will start accusing terrorist repairmen
of sabotaging our duct work.

