Lucas notes that for the attacks employed as part of the exercise, all of the attack software used was all open-source, available to everyone from a meddlesome college student from any school in the U.S. to a state actor in Iran. “The second attack was an actual brute force attack, where we went after the actual Internet side and did a brute force attack to break in, get onto the network, take control, get through the administrative password side, and then actually attack the SCADA system,” he says. “Again, as in most SCADA systems, they were not up to current patch levels, if ever, and took advantage of known, documented vulnerabilities on standard operating systems.

“We actually attacked the SCADA systems consistent with the approach that a Stuxnet virus would do,” Lucas continues. “Because all of your screens say, ‘Water is flowing perfectly.’ But yet, we just got a call saying, ‘We don’t have any water. What’s going on?’ because our attack actually shut off the flow of water, but all of the SCADA control said that it was flowing, which is consistent with a Stuxnet virus. So they sent a guy out with a radio, and he went, ‘Uh, guys — I’ve got no water coming out of pump 2. We’ve got nothing.’ It was a learning exercise. If this, in fact, did happen to your plant, this is why you wouldn’t even know it was going on when it was going on.

The total vulnerability of the SCADA system was an eye-opener for the operators on hand, and an absolute provocation for them to reconsider the mindset with which they proceed from day to day. “We had the network attack to get to the SCADA, and then we had SCADA experts who actually did things that I wish I didn’t know were capable, to disrupt water operation without the operators knowing about it,” Lucas recounts. “Then we showed the water operators actually what was happening, versus what they were seeing. I would say that was the most important learning for all of these water operators, because it gave them an understanding and appreciation of how cyberattacks could actually put them at risk. Because in every water operator’s mind is, ‘Well, if you shut down my SCADA, I’ll just go to manual, and we’re all good. That’s the way we used to do it.’ You can go to manual — but you didn’t even know you needed to.”

So that’s, I think, the biggest learning that we got away, and everyone had a much better understanding of what could happen, and I know for a fact that they all went back and talked to their integrator/SCADA team and said, ‘I need to think about this a little better, and over time, how do we do better at this?’ That’s what I would say was the value that the water companies got out of it. … The sense of security — that they were safe — was shattered. And they needed to worry about this more, and they plan to. That was, to me, the biggest takeaway.”

The magnitude of CritEx and the effort to bring it off was considerable, with water and electrical utility companies, the FBI and DHS, FEMA, and private companies like Rockwell and Cisco in attendance. “We probably had 150 people who observed it over the two days, and it was a phenomenal, mind-boggling, tiring, exhausting experience,” Lucas recalls. In spite of the massive effort it took to bring off, he hopes that it doesn’t end up being a one-time event — because the problem is very real, and the implications immense. If he has his way, Lucas will find a way to make CritEx a sustainable exercise that could be run year-round at the Muscatatuck facility.

“There’s the [idea to] repeat what we did and make it a training exercise for the country — that’s one major potential,” he says. “Muscatatuck has a steam plant. If I add a topping turbine, I now have a power generation station. I can now do a live attack on a coal-fired power station.”

But, as one might predict, there are significant challenges impeding continued development of CritEx and the Muscatatuck facility for future training use — not the least of which is financial. “The tough part is the sustainable part,” he admits. “We’re still working on that. … If I can get a grant from the DHS, we could have this repeating itself in a heartbeat.”

Where time is not on our side where threat actors are concerned, that may be a bit optimistic, but Indiana’s water sector chief isn’t giving up, describing a scenario in which a $1,000 training fee could form the basis for a new revenue stream to make operations possible. But money is only a part of the equation. “I need a retired water executive to take it over and run it full time, or somebody to run a full-time company who has some knowledge of the issues,” he laments. “That’s what I need. I don’t have one. It’s a dream without a solution.”