According to the secret report obtained by Weiss (dated Nov 10th and referring to the discovery of the attack two days earlier), it appears that the site's control system vendor had previously been hacked and various customer usernames and passwords taken. Although not stated, presumably this gave insight into how to connect to the Curran-Gardner system.
It appears that once having control of the SCADA system, the intruder was able to repeatedly turn the pump on and off, leading to its burn-out (note some reporters have suggested the SCADA system itself was turned on ad off repeatedly; this is a laughable proposition). Weiss also reports that the site had been (in hindsight) suffering such issues for a couple of months with site workers commonly observing unexplained problems with the system.
Back tracking the attack led to an IP address located in Russia, although as most researchers know, such attribution is flimsy at best; in fact the perpetrator could have been absolutely anywhere. The FBI and DHS were reported to have stated that they are "gathering facts surrounding the report of a water pump failure in Springfield Illinois. At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety."
Really? A water authority's control system is breached, leading to the destruction of a pump (potentially costing hundreds of thousands of dollars to replace depending on the size of the pump) and you don't believe there's a risk to critical infrastructure?
Let's segue to a second attack by touching on a November 18th PasteBin posting by its perpetrator (who goes by the handle of 'Pr0f'), who posted five screen shots of various pages in the City of South Houston's water management system.
As an aside, this writer has some experience in SCADA systems and would have been very embarrassed regarding the design quality of the pages, had they been mine. Have a look at them and note for instance how matching elements on similar pages are not properly aligned.
The next day, 'Pr0f' is back again with something of an essay where he offers a tirade against government response to such intrusions.
I don't think I am alone in suggesting that the gravity of the problem is more serious than ICS-Cert and similar are equipped to deal with. I would love to see some real reform and discussions between the government, manufacturers of ICS, and people who use these systems happening, because there seems to be a huge disconnect between the parties involved.
I don't have much of a doubt the FBI will be investigating recent events, and I suspect my future may well contain orange uniforms and bad food, but I feel that there's a serious need to highlight these issues publicly worth all costs. Discussion is needed, but more than that, we need action.
Very few others seem to want to talk about anything from anything other than a theoretical standpoint, and legal systems across the world are attempting to stamp-out proactive, offensive security, under the misguided belief that this will somehow deter people from attacking systems.
I couldn't have said it better myself.
'Pr0f' also offers a call-out to "The City of South Houston, Texas, for dealing with the highlighted security issue quickly professionally, and noting that I did indeed cause no damage."
A local Houston news outlet reported that the local Mayor confirmed no damage had been done and that the system had "been taken offline" whatever that means.
When it's this simple to get into control systems upon which the lives of millions of people rely, there is something very seriously wrong with the way these systems are configured and with governmental responses to such breaches.
'Pr0f' has been contacted for further response.