The failure of a water pump in Illinois had nothing to do with a security attack from Russia, the contractor who turned out to be at the heart of the episode has said.
In mid-November, the pump's failure was attributed by the Illinois Statewide Terrorism and Intelligence Center to a supposed attack emanating from a Russian IP address, leading many to chalk the incident up as the first successful attack on a US supervisory control and data acquisition (Scada) system.
The idea was that an attacker had remotely and repeatedly turned the pump on and off, causing it to fail, and that this was the first American analogy to the somewhat more robust effects of the Stuxnet attack in Iran.
However, the Washington Post reported a week later that a US contractor travelling in Russia had been behind the connection to the Scada system that had led to the intelligence centre's report. On Wednesday, the contractor, Jim Mimlitz, gave an interview to Wired in which he explained what happened.
Mimlitz's integration firm had helped set up the Scada system for the Curran Gardner Public Water District around Springfield, Illinois, and still provides support for the system. While in Russia on vacation in June, he received a request from Curran Gardner to remotely log on and check some data history charts.
He did so, although he says he "wasn't manipulating the system or making any changes or turning anything on or off".
When a Curran Gardner water pump failed in early November, a computer repairman noticed the Russian IP address on the logs, along with Mimlitz's username. The information went to the Environmental Protection Agency (EPA), who passed it on to the intelligence centre.
Someone writing the intelligence centre's report assumed Mimlitz's computer had been hacked — nobody was aware that he had actually been in Russia.
The centre comprises representatives of the Illinois State Police, the Department of Homeland Security, the FBI and other agencies. The police are apparently claiming the others are responsible, and vice versa.
Either way, the report became public, then had to be debunked when the error was discovered.