Incident: Foreign Hackers Cause Water Pump Failure in Illinois Water Plant

Published Date: 2011-11-18

Postmortem Analysis
Timeline 1. The software failure incident happened in November 2011. [8964, 8870]
System 1. Water pump motor at an Illinois water plant [8964, 8870] 2. Supervisory Control and Data Acquisition System (SCADA) used by the city water utility in Springfield, Illinois [8870]
Responsible Organization 1. Foreign hackers from an Internet address in Russia were responsible for causing the software failure incident at the Illinois water plant [8964, 8870].
Impacted Organization 1. City Water, Light and Power in Springfield, Illinois [8870] 2. Curran-Gardner Township Public Water District [8870]
Software Causes 1. Foreign hackers gained remote access into the control system of the city water utility in Springfield, Illinois, and destroyed a pump by hacking into the network of a software vendor that makes the SCADA system used by the utility. The hackers stole usernames and passwords from the vendor's database to gain access to the utility's network [8870]. 2. The hackers used the stolen credentials to penetrate the control system for the water pump, causing a series of minor glitches that escalated to the point where the pump motor was being turned on and off frequently, leading to its burnout [8964].
Non-software Causes 1. The failure incident was caused by foreign hackers gaining remote access into the control system of the city water utility in Springfield, Illinois, and destroying a pump [8870]. 2. The hackers gained access by first hacking into the network of a software vendor that makes the SCADA system used by the utility [8870]. 3. The hackers stole usernames and passwords from the software vendor's database, which were used to gain remote access to the utility's network [8870]. 4. The theft of credentials from the software vendor raised the possibility of other customers using the same SCADA system being targeted as well [8870].
Impacts 1. The software failure incident caused a water pump at an Illinois water plant to fail, leading to physical destruction [8964, 8870]. 2. The incident resulted in the burnout of a water pump, affecting the water supply system [8870]. 3. The hackers gained remote access into the control system of the city water utility and destroyed a pump, indicating a breach of industrial control systems [8870]. 4. The theft of usernames and passwords from a software vendor's database raised concerns about potential attacks on other SCADA systems [8870]. 5. The incident highlighted vulnerabilities in critical infrastructure systems in the United States, emphasizing the need for improved cybersecurity measures [8964, 8870].
Preventions 1. Implementing strong cybersecurity measures such as multi-factor authentication to prevent unauthorized access to critical systems [8870]. 2. Regularly monitoring and auditing system logs for any unusual activities or anomalies that could indicate a potential cyber-attack [8870]. 3. Ensuring that software vendors maintain secure databases and do not store sensitive information like usernames and passwords in an easily accessible manner [8870]. 4. Educating employees and system operators on cybersecurity best practices to recognize and report any suspicious activities or system glitches [8870]. 5. Collaborating with government agencies and cybersecurity experts to stay informed about emerging threats and vulnerabilities in industrial control systems [8870].
Fixes 1. Enhancing cybersecurity measures to prevent unauthorized access and hacking attempts, such as implementing stronger authentication protocols and encryption methods [8964, 8870]. 2. Conducting thorough security audits and assessments of critical infrastructure systems to identify vulnerabilities and address them promptly [8964, 8870]. 3. Improving monitoring and detection capabilities to quickly identify unusual activities or anomalies within the control systems [8870]. 4. Educating operators and staff on cybersecurity best practices to prevent social engineering attacks and unauthorized access [8870]. 5. Collaborating with cybersecurity experts and agencies to share information and intelligence on potential threats and vulnerabilities in SCADA systems [8870].
References 1. Illinois Statewide Terrorism and Intelligence Center 2. Joe Weiss, an industry security expert 3. Department of Homeland Security 4. FBI 5. Dave Marcus, director of security research for McAfee Labs 6. City Water, Light and Power 7. Curran-Gardner Township Public Water District 8. DHS spokesman Peter Boogaard 9. Applied Control Solutions 10. Threat Level 11. Wired.com 12. State Journal-Register newspaper 13. DHS Industrial Control System-Cyber Emergency Response Team

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident having happened again at one_organization: - The incident involving the hack into the SCADA system of the city water utility in Springfield, Illinois, where a pump was destroyed, was similar to a recent hack into an MIT server last June that was used to launch attacks on other systems [Article 8870]. - The hack of the SCADA system in Illinois was the first breach of an industrial control system reported since the Stuxnet worm was found on systems in Iran and elsewhere last year [Article 8870]. (b) The software failure incident having happened again at multiple_organization: - The incident in Springfield, Illinois, where hackers gained remote access into the control system of the city water utility and destroyed a pump, raised concerns about the possibility of other customers using the same SCADA system being targeted as well [Article 8870]. - The incident was a major new development in cybersecurity, indicating vulnerabilities in critical systems in the United States that could be exploited by cyber-attacks [Article 8964].
Phase (Design/Operation) design, operation (a) The software failure incident in the water plant in Illinois was primarily due to a design failure. The incident was caused by foreign hackers who gained access to the control system of the water utility by first hacking into the network of a software vendor that makes the SCADA system used by the utility. The hackers stole usernames and passwords from the vendor's database, which allowed them to remotely access the utility's network and manipulate the water pump, eventually causing it to fail [8964, 8870]. (b) The software failure incident can also be attributed to an operational failure. The operators at the utility company noticed "glitches" in the remote access for the SCADA system for two to three months before the attack was discovered. These glitches were not initially recognized as signs of a cyber-attack, and it was only when the SCADA system started turning on and off that the operators realized something was wrong. This indicates a failure in the operation and monitoring of the system, leading to the successful intrusion by the hackers [8870].
Boundary (Internal/External) within_system, outside_system (a) The software failure incident in Springfield, Illinois, where a water pump at a water plant failed due to a cyber-attack was primarily caused by contributing factors that originated from within the system. The hackers gained remote access into the control system of the city water utility and destroyed the pump by exploiting vulnerabilities in the SCADA system [8870]. The incident involved the hackers first hacking into the network of a software vendor that makes the SCADA system used by the utility, stealing usernames and passwords, and then using those credentials to gain remote access to the utility's network [8870]. (b) However, the attack itself originated from outside the system, as the hackers launched their attack from IP addresses based in Russia [8870]. The hackers acquired unauthorized access to the software company's database, which was an external source, and used this information to penetrate the control system for the water pump [8964].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in Springfield, Illinois, was primarily caused by non-human actions, specifically a cyber-attack by foreign hackers. The hackers gained remote access into the control system of the city water utility and destroyed a pump by turning it on and off frequently, leading to its burnout [8870]. The attack originated from IP addresses based in Russia and was facilitated by the hackers first hacking into the network of a software vendor that provided the SCADA system used by the utility. This allowed them to steal usernames and passwords to gain access to the utility's network [8870]. (b) Human actions also played a role in the software failure incident as the hackers exploited vulnerabilities in the system that were introduced through human actions. The hackers acquired unauthorized access to the software company's database, retrieved user names and passwords of control systems, and used this information to penetrate the control system for the water pump [8964]. Additionally, the software vendor maintained usernames and passwords for its customers, which were stolen by the hackers to gain remote access to the utility's network [8870].
Dimension (Hardware/Software) software (a) The software failure incident in Springfield, Illinois, where a water pump at a water plant failed was caused by a cyber-attack orchestrated by foreign hackers. The hackers gained remote access into the control system of the city water utility and destroyed the pump. The attack originated from IP addresses based in Russia and was facilitated by first hacking into the network of a software vendor that makes the SCADA system used by the utility [8870]. (b) The software failure incident was attributed to a breach in the control system software due to hackers breaking into a software company's database and retrieving user names and passwords of control systems that run water plant computer equipment. This breach allowed the hackers to penetrate the control system for the water pump, leading to the pump's failure [8964].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident in Springfield, Illinois, where a water pump at a water plant failed was malicious in nature. The incident was caused by foreign hackers who gained remote access into the control system of the city water utility and destroyed the pump [8870]. The hackers launched their attack from IP addresses based in Russia and first hacked into the network of a software vendor that makes the SCADA system used by the utility. They stole usernames and passwords to gain remote access to the utility's network, leading to the burnout of the water pump [8870]. The attack was confirmed to be a cyber-attack that caused physical destruction, marking a departure from typical cyber incidents that aim to steal information or disrupt websites [8964]. The hackers acquired unauthorized access to the software company's database and used the information to penetrate the control system for the water pump, resulting in the pump motor being turned on and off frequently until it burned out [8964].
Intent (Poor/Accidental Decisions) poor_decisions (a) The intent of the software failure incident: - The incident involved hackers gaining remote access into the control system of a city water utility in Springfield, Illinois, and destroying a pump [8870]. - The hackers were discovered when a water district employee noticed problems in the Supervisory Control and Data Acquisition System (SCADA), which kept turning on and off, resulting in the burnout of a water pump [8870]. - The hackers gained access by first hacking into the network of a software vendor that makes the SCADA system used by the utility, stealing usernames and passwords maintained by the vendor for its customers [8870]. - The theft of credentials raised the possibility that other customers using the vendor's SCADA system may be targeted as well [8870]. - The incident involved a series of minor glitches with a water pump that gradually escalated to the point where the pump motor was being turned on and off frequently, leading to its burnout [8964]. - The report attributed the damage to the actions of somebody using a computer registered to an Internet address in Russia, who had acquired unauthorized access to the software company's database to penetrate the control system for the water pump [8964]. - The incident was a major development in cybersecurity, highlighting vulnerabilities in critical systems controlled by computers that are susceptible to cyber-attacks [8964].
Capability (Incompetence/Accidental) accidental (a) The software failure incident in the water plant in Illinois was not due to development incompetence but rather due to a cyber-attack by foreign hackers. The hackers gained remote access into the control system of the city water utility and destroyed a pump by exploiting vulnerabilities in the system [8870]. (b) The software failure incident was accidental in the sense that the operators at the utility initially noticed "glitches" in the remote access for the SCADA system but thought it was part of the normal instability of the system. It wasn't until the SCADA system actually turned on and off that they realized something was wrong, indicating that the intrusion by hackers was not immediately detected as a malicious attack [8870].
Duration temporary (a) The software failure incident in the water plant in Springfield, Illinois was temporary. The incident involved hackers gaining remote access into the control system of the city water utility and destroying a pump. The hackers were discovered when a water district employee noticed problems in the Supervisory Control and Data Acquisition System (SCADA), which kept turning on and off, resulting in the burnout of a water pump [8870]. The intrusion by the hackers into the SCADA system lasted for two to three months before being discovered, during which operators at the utility noticed "glitches" in the remote access for the system. The report indicates that the operators initially thought these glitches were part of the normal instability of the system until the SCADA system actually turned on and off, indicating something was wrong [8870].
Behaviour crash, other (a) crash: The software failure incident in the articles can be categorized as a crash. The incident involved a water pump at an Illinois water plant failing due to a cyber-attack, resulting in physical destruction. The pump motor was being turned on and off frequently until it burned out, indicating a failure of the system to perform its intended functions [8964, 8870]. (b) omission: The incident does not specifically mention a failure due to the system omitting to perform its intended functions at an instance(s). (c) timing: The incident does not involve a failure due to the system performing its intended functions correctly, but too late or too early. (d) value: The incident does not involve a failure due to the system performing its intended functions incorrectly. (e) byzantine: The incident does not involve a failure due to the system behaving erroneously with inconsistent responses and interactions. (f) other: The behavior of the software failure incident can be categorized as a crash, as described above.

IoT System Layer

Layer Option Rationale
Perception sensor, network_communication, embedded_software (a) sensor: The software failure incident in Springfield, Illinois, was related to a pump failure at a water plant caused by foreign hackers. The incident involved a series of minor glitches with a water pump that gradually escalated to the point where the pump motor was being turned on and off frequently, leading to its burnout. The hackers gained remote access into the control system of the city water utility, which resulted in the destruction of the pump. The intrusion into the system was detected when the Supervisory Control and Data Acquisition System (SCADA) kept turning on and off, indicating a sensor-related issue [8964, 8870]. (b) actuator: The incident in Springfield, Illinois, where a water pump failed due to a cyber-attack by hackers, did not specifically mention any contributing factors related to an actuator error. The focus of the incident was on the control system being compromised and the pump being damaged as a result [8964, 8870]. (c) processing_unit: The software failure incident in Springfield, Illinois, was primarily related to a cyber-attack on the control system of the water utility, leading to the pump failure. The hackers gained access to the system by first hacking into the network of a software vendor that provided the SCADA system used by the utility. They retrieved usernames and passwords, which allowed them to remotely access the utility's network. The incident did not directly point to a failure introduced by errors in the processing unit itself [8870]. (d) network_communication: The cyber-attack on the water plant in Springfield, Illinois, involved hackers gaining remote access into the control system of the city water utility. The hackers launched their attack from IP addresses based in Russia and gained access by first hacking into the network of a software vendor that makes the SCADA system used by the utility. They stole usernames and passwords to gain remote access to the utility's network, indicating a failure introduced by network communication error [8870]. (e) embedded_software: The incident in Springfield, Illinois, where a water pump failed due to a cyber-attack by hackers, was related to the compromise of the control system through unauthorized access to a software company's database. The hackers retrieved user names and passwords of control systems that run water plant computer equipment, allowing them to hack into the plant. This indicates a failure introduced by errors in the embedded software controlling the water plant systems [8964].
Communication connectivity_level The software failure incident reported in the articles was related to the connectivity level of the cyber-physical system that failed. The failure was due to contributing factors introduced by the network layer, specifically through remote access gained by hackers into the control system of the city water utility in Springfield, Illinois [8870]. The hackers gained access by first hacking into the network of a software vendor that makes the SCADA system used by the utility, stealing usernames and passwords to gain remote access to the utility's network [8870]. This breach of the control system was facilitated through vulnerabilities in the network layer, allowing unauthorized access and control over the water pump, ultimately leading to its burnout [8870].
Application TRUE The software failure incident related to the cyber-physical system failure in the water plant in Illinois was indeed related to the application layer of the system. The failure was caused by foreign hackers who gained remote access into the control system of the water utility and destroyed a pump. The hackers were able to gain access by hacking into the network of a software vendor that makes the SCADA system used by the utility, stealing usernames and passwords to gain remote access to the utility's network [8870]. This breach involved unauthorized access to the software company's database, which allowed the hackers to penetrate the control system for the water pump, leading to its burnout [8964]. This aligns with the definition of an application layer failure, as it was caused by unauthorized access and misuse of the software system.

Other Details

Category Option Rationale
Consequence property, non-human, theoretical_consequence (a) unknown (b) unknown (c) unknown (d) The software failure incident resulted in physical destruction of a water pump at an Illinois water plant, causing it to burn out [8964, 8870]. (e) unknown (f) The software failure incident impacted non-human entities, specifically the water pump at the water plant in Illinois [8964, 8870]. (g) unknown (h) Theoretical consequences discussed included the potential risk of destructive cyber-attacks on critical infrastructure and the vulnerability of computers controlling critical systems in the U.S. to cyber-attacks [8964]. (i) unknown
Domain utilities (a) The failed system was related to the utilities industry, specifically the water supply system in Springfield, Illinois. The incident involved a cyber-attack on a water plant that caused a pump to fail, leading to physical destruction [8964, 8870].

Sources

Back to List