Security expert Joe Weiss obtained the report and read it to The Washington Post. If confirmed, the incident would have been the first report of a cyberattack causing physical damage to a water system in the United States.
But the Department of Homeland Security and the FBI said they could not confirm reports of a cyberattack. DHS spokesman Chris Ortman called the Illinois state report nothing more than “raw, unconfirmed data.”
He said that the federal investigation also could not confirm the report’s claim that hackers broke into a software company’s database and retrieved user names and passwords, which enabled access to the water plant system.
“In addition,” Ortman said, “DHS and FBI have concluded that there was no malicious traffic from Russia or any foreign entities, as previously reported.”
Officials from the state intelligence center did not return phone calls seeking comment Wednesday.
Weiss said that federal officials were seeking a degree of proof impractical for such a cyberattack. The control system at the Illinois plant probably does not log signals sent to the water pumps and, as a result, would contain no data on who might have gained access to the system, he said. “Control systems don’t have that kind of logging.”
The pump was having problems, Don Craven, a trustee on the Curran-Gardner water board, said in a phone interview. “We noticed some glitches,” Craven said. The district passed the information to the state Environmental Protection Agency, he said.
Craven said the board later saw a report — he did not recall from which agency — that “came to the conclusion that somebody had hacked into the system.”
Robert Green, another water board member, said that the water district manager told him “there were some intrusions.”
“They think some people hacked it, but they weren’t in long enough to do anything,” he said.
Green said that there were some glitches with the pump. “But was it the pump,” he said, “or was it a hacker, or was it something that went wrong in the [control] system, too?”