ICSJWG: ‘Know Your Facts’

Tuesday, May 8, 2012 @ 11:05 PM gHale

By Gregory Hale
A classic case of jumping to conclusions before all of the facts were in ended up being a perfect example of showing how a cyber incident response communication should occur. Even though it ended up being a non cyber incident.

Last November, a report came out that a Russian IP address was found on the Curran-Gardner Water District network and fears erupted the system suffered a compromise at the hands of Russian attackers.

Feds: No Cyber Intrusion at IL Water Plant
Nissan Hit by Breach
Malware Beat Down: Flashback on Wane
Attack Vector: Phishing Real or Phony?

In the post Stuxnet world, the initial report ended up leaked and the story spread across the world. While the water district did suffer a pump failure, it was not at the hands of a hacker, but rather it was just a pump gone wrong.

“They didn’t know how far and how fast the reporting would go in these types of incident,” said Christopher Trifiletti, special agent for the FBI in Springfield, IL during the opening session at the ICSJWG 2012 Spring Conference in Savannah, GA. “This is not a shrinking subject area; it is a growing subject area.”

Fearing this was a national security issue, Trifiletti knew he had to get down to investigate, but he had to make sure the company would allow them in because they don’t really have to if they don’t want to. But even though the company had proprietary technology, the water district wanted to find out what happened as much as the FBI did.

Once the FBI got in, they called ICS-CERT to come down and investigate.

Understanding the potential high profile nature of the scenario, “We treated this like we would any other case,” said Eric Cornelius, with DHS ICS-CERT. “We have a process and we went on site and just started from the beginning. We started by talking to the staff.”

“One staff member saw a Russian IP and he jumped to a conclusion that a Russian compromised the system,” Cornelius said.

It turned out a contractor that worked on the network was on vacation and checked in to do a system check and he was in Russia at the time.

After a detailed analysis, DHS and the FBI found no evidence of a cyber intrusion into the SCADA system.

While they had to dig through quite a bit of information one area that helped them was with the data logs. We had a lot of logs and we ended up parsing them, Cornelius said. They did have problems at first with the logs in that they had to try to figure out how to decipher the data. They finally decided on a program to help them parse out the data they were looking for.

“We didn’t find any indicators whatsoever that there was a compromise,” Cornelius said. “We found a pattern and cyber attacks don’t usually follow a pattern.”

In a charged atmosphere where everyone involved didn’t really know what was happening at first ended up being quickly resolved because the water district had a forensic response plan in place so they knew what to do and when to do it.

Leave a Reply

You must be logged in to post a comment.