Cyber Attack on Illinois Water Utility System

Last week, it was reported that a hacker conducted a cyber attack on a Springfield, Illinois public water utility that resulted in the destruction of one of the utility's pumps. Experts indicated that the attack involved hacking a Supervisory Control And Data Acquisition (SCADA) which caused the water pump to burn out.

In a separate report late last week, another hacker was able to access and then post diagrams of the South Houston sewer system online in an attempt to demonstrate the system's vulnerabilities. DHS officials are investigating both incidents and have confirmed that there is currently no identified risk to critical infrastructure entities or a threat to public safety.

These incidents highlight the ongoing debate about the security of our nation's water utilities. As previously discussed, water utilities are currently statutorily exempt from the Chemical Facility Anti-Terrorism Standards (CFATS) program - even though many often may possess significant quantities of Chlorine - one of the so called Chemicals of Interest that could bring a facility under CFATS regulation.

Many believe that Congress should remove the statutory exemption - and require water utilities to comply with CFATS' security mandates. One of those mandates, Risk-Based Performance Standard (RBPS) 8 (Cyber), requires facilities to "[d]eter cyber sabotage, including preventing unauthorized on-site or remote access to critical process controls, such as Supervisory Control and Data Acquisition (SCADA) systems...." Mandating such measures at water utilities would certainly prevent or at least mitigate these types of attacks.

Whether or not Congress acts to remove the exemption in 2012 is unknown but I will follow the issue closely and keep you posted.

Ryan Loughin is Director of Petrochemical & Energy Solutions for the Advanced Integration division of ADT- He provides security education to CFATS and MTSA-affected companies and is a member of the National Petrochemical and Refiners Association (NPRA), Society of Chemical Manufacturers and Associates (SOCMA), Energy Security Council (ESC) and American Society for Industrial Security (ASIS). Loughin has also completed multiple levels of CVI Authorized User training (Chemical- Terrorism Vulnerability Information) which was authored by the U.S. Department of Homeland Security.

Copyright © ADT Security Services, Inc. 2011 - All Rights Reserved. Legal Disclaimer - Some of the individuals posting to this site, including the moderators, work for ADT Security Services, Inc. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of ADT Security Services, Inc. The content is provided for informational purposes only and is not meant to be an endorsement or representation by ADT Security Services, Inc. or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release ADT Security Services, Inc. from any liability related to your use of the Website. You also grant to ADT Security Services, Inc. a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.