illinois water pump hack not so much of a hack

Posted on by michael

Watching the Illinois water pump hacking situation has been fun. Wired pretty much summed up the end story: no hack here, just a series of fun incidents.

While it makes for a great movie plot, and gets people excited, I’ve found that most “strange” things at work involving computers ends up being completely innocent, and not the effects of some nefarious digital attackers. For as paranoid and ear-to-the-security-ground as I might be, I’m still one of the last people to think an actual attack is under way when something weird happens on my networks. And 98%+ of the time I’m correct. Jumping the gun and throwing cries of, “hackers, hackers, hackers!” without anything solid to go on does no one any good.

It’s one thing to muse about the possibility of an attack or to wildly (or jokingly) suggest it, but doing so outside of very controlled groups of people leads to a misunderstanding as someone walks away from that conversation and tells someone else that it *is* a hacker. And then it gets to someone important, and now you’re spending days, weeks (or more) trying to dig out of that hole and pass the hot potato.

When in doubt, stick with non-extravagent gut feelings. As they say in law enforcement, there may be the possibility of a complex, movie-like conspiracy, but the truth is almost always rooted in the simplest answer. Not some complex plot.

I will say, kudos to finding that Russian (but not the German?) IP address accessing the remote systems. Not so impressed that those IPs can even log in (no idea on the auth mechanism). And just a sigh about not finding those IPs very soon after the fact (i.e. log review, but it’s hard to fault someone for not reviewing logs when it’s a time/money sink 99% of the time and even then it might be missed, besides which maybe they get 240 logins a day, which would suck to browse through, and I don’t know many SIEMs that would be smart enough and easy enough to just tune out anything from your normal systems…seriously, the ideas on how to monitor are easy, but not so much with the tools at hand…yikes, this is a whole discussion in and of itself.)