CHICAGO — Mystery solved. A reported cyberattack on a water district in central Illinois turned out to be a false alarm set off when an American contractor logged onto the system remotely while vacationing in Russia.
Jim Mimlitz of suburban St. Louis says he hopes he'll be able to laugh about it someday. For now, the contractor is puzzled. Why didn't terrorism investigators pick up the phone and call him? He says he could have straightened out the matter quickly.
Instead, investigators assumed someone had stolen Mimlitz' password and hacked into the system from Russia, causing a water pump to shut down five months later. A blogger spread word of the possible hack, touching off a minor panic.
The truth is, Mimlitz was on vacation with his family in Russia in June. Someone from the Curran Gardner Public Water District near Springfield called his cell phone and asked him to check data on the system. He did, but he didn't mention he was doing so from Russia.
Months later, after the water pump failed, a repairman examining the logs saw a Russian IP address linking to the system with Mimlitz' sign-on. The water district reported that to a state agency and the Illinois Statewide Terrorism and Intelligence Center got involved.
The center released reports about a potential cyber compromise at the water district. The reports were meant to be initial raw reporting and not conclusive. A security consultant and blogger wrote about the reports and released the documents to reporters. The incident was reported as possibly the first successful cyberattack on the U.S. infrastructure.
"A quick and simple phone call to me right away would have defused the whole thing immediately," Mimlitz said. "All I did was I logged on. I tried to help. I looked at some data and gave them my advice."
The story of Mimlitz' vacation was first reported by Wired magazine's Threat Level blog. Mimlitz spoke to The Associated Press on Thursday.
There was no immediate response to requests for comment from the Illinois State Police, which took part in the investigation. A spokesman for the U.S. Department of Homeland Security referred to the department's previous statements saying there was "no evidence to support claims made" in the initial Illinois report "which was based on raw, unconfirmed data and subsequently leaked to the media ..."
Mimlitz has only kind words for the FBI and Department of Homeland Security investigators he met with last week for nearly four hours.
"I was as open as I could be," he said. "I wasn't trying to hide anything. I was just trying to help them find the problem. Even if the end result was not going to be good for me, that wasn't my concern. It was a very productive meeting and they were extremely sharp people."
Mimlitz's company – Navionics Research in Eureka, Mo. – helped set up the system that remotely manages computers controlling machinery in the water district. Security experts have pointed out such Supervisory Control and Data Acquisition systems are vulnerable to hacking.
"I think our system's very secure," Mimlitz said. "It doesn't mean we're not going to keep working on it."