Photo: Matthew Burpee/Flickr
When an Illinois fusion center distributed a report last year stating that hackers from Russia had broken into a water district’s SCADA system and sabotaged a water pump, the Department of Homeland Security stepped in publicly to denounce the report as false, blaming the regional fusion center for spreading unsubstantiated claims and sowing panic in the industrial control system community.
But while DHS was busy pointing a finger at the fusion center, its own Office of Intelligence and Analysis had been irresponsibly spreading the same false information privately in a report to Congress and the intelligence community, according to a Senate subcommittee investigation released late Tuesday. The DHS report was issued five days after the fusion center report was issued.
Even after the FBI and other investigators concluded a few days later that there was no merit to the hacking claims and that the reports were false, the DHS intelligence unit did not issue a correction to its report or notify Congress or the intelligence community that the information it spread was incorrect.
Officials behind the false claims told Senate investigators that such reports weren’t meant to be “finished intelligence” and that despite their report’s inaccuracies and sloppy wording they considered it to be a “success.”
“[It did] exactly what it’s supposed to do – generate interest,” DHS officials told Senate investigators.
The revelation is buried in a lengthy report released by the Senate’s bipartisan Permanent Subcommittee on Investigations, which examines the many failings of state fusion centers, which were set up in the wake of the 9/11 terrorist attacks in an effort to improve intelligence collection and dissemination for state, local and federal law enforcement and counter-terrorism agencies.
The water pump hack report spawned dozens of sensational news stories when it was leaked to reporters in November 2011. The fusion center report, which was titled “Public Water District Cyber Intrusion,” was distributed by the Illinois Statewide Terrorism and Intelligence Center on Nov. 10 and given to state and federal law enforcement agencies, utilities and other groups.
The report, which was meant to be confidential, claimed that attackers from Russia had hacked into the network of a software vendor that made the SCADA system used by a water district in Illinois and stolen usernames and passwords that the vendor maintained for its customers. The hackers then supposedly used the credentials to gain remote access to the utility’s network and cause a water pump to burn out. The report was leaked to the media by an industrial control systems expert who had gained access to it.
The report was significant at the time because it represented the first known attack of this kind involving hackers breaking into an industrial control system in the U.S. and sabotaging equipment. As the Senate investigators point out in their report, earlier that year Defense Department officials had stated that the U.S. would treat such attacks on critical infrastructure systems as an act of war if they caused widespread casualties.
But none of the information was true, and the authors of the fusion center report could have easily discovered this had they bothered to investigate the matter even a little.
Someone did access the water district’s SCADA system from Russia, but it was a water district contractor who was asked to access the system by water district employees, as Wired first reported. They had called him to seek his opinion on something while he was on vacation in Russia, and he had logged into the system remotely to check on some data for them.
When the pump broke five months later and someone examined the network logs to determine the cause, they found an IP address from Russia listed in the logs next to the username and password of the contractor. No one ever bothered to call the contractor to see if he had logged in from Russia; they just assumed someone in Russia had stolen his credentials.
The assertion by the fusion center that the pump was sabotaged by intruders from Russia was all the more perplexing since the contractor had logged in from Russia five months before the pump broke, the Senate investigators point out.
Nonetheless, five days after the fusion center issued its report on Nov. 10, officials from DHS’s Office of Intelligence & Analysis issued their own report, inexplicably repeating the same claims that the fusion center had made.
“Like the fusion center report, DHS stated the allegations as fact, not as theory, claim or hunch,” the Senate report says, noting that DHS guidelines forbid the department from reporting on information if it’s just a theory, claim or hunch.
The author of the DHS report, a senior reports officer in the Intelligence and Analysis branch, claimed in his report that the information was based on “first and secondhand knowledge of information” that was “deemed reliable.” The report never indicated that the information was based on conjecture.
A slide that the I&A office prepared for an intelligence briefing stated emphatically that the Illinois water district’s SCADA system had “experienced a network intrusion from a Russian IP address” and said that the perpetrator hijacked an “authorized user account” and that “system controls were manipulated resulting in a pump burnout.” The information was included in a daily intelligence briefing that went to Congress and the intelligence community.
A week after the DHS intelligence report was released, investigators from DHS’s Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT) arrived in Illinois to investigate the apparent intrusion. They quickly determined, after speaking with the contractor whose name had shown up in the logs, that the fusion center and the DHS intelligence reports were wrong and that the failed pump was not the result of a hack attack at all.
“Almost no part of the initial reports of the incident had been accurate – not the fusion center report, or DHS’s own intelligence report, or its intelligence briefing,” write the Senate investigators in their report. “The only fact that they got right was that a water pump in a small illinois water district had burned out.”
On Nov. 22, the DHS released a statement saying that there was no evidence to back the fusion center claims that the utility had suffered a cyber intrusion, that credentials were stolen or that any malicious activity was behind the failed water pump.
On Nov. 30, after Wired published a story identifying the contractor who had logged into the system from Russia and revealed the true facts behind the “cyber intrusion”, DHS pointed the finger at the fusion center for releasing information that had not been verified.
A spokeswoman for the Illinois State Police, which is responsible for the fusion center, pointed the finger at local representatives of DHS, FBI and other agencies who she said were responsible for compiling information that gets released by the fusion center.
And then DHS pointed another finger back at the fusion center, saying if the report had been DHS-approved, six different offices would have had to sign off on it.
“Because this was an Illinois [fusion center] product, it did not undergo such a review,” a DHS official told Wired at the time.
But according to the Senate report, DHS had indeed released its own separate report that restated the same false claims that the fusion center report had stated.
When Senate investigators asked officials from the I&A office about their report, the officials acknowledged that they had not included caveats in the report to indicate that the information was uncorroborated and based on hypotheses, but they defended their hurried reporting by saying there was “a premium for getting [intelligence reports] out.”
And despite the fact that their office is called the Office of Intelligence & Analysis, they told investigators that “analytical judgements are saved” – that is, analysis is not included in such reports.