A US water utility has been damaged by a hack that exploited its supervisory control and data acquisition (Scada) software, according to a security expert.
The hack, detailed on Thursday by Joe Weiss, the managing partner of Applied Control Solutions, which provides consulting services for securing industrial control systems, was disclosed in a report by an unnamed US government organisation.
"It is believed the [water utility's] Scada software vendor was hacked and customer usernames and passwords stolen," Weiss wrote. "There was damage — the Scada system was powered on and off, burning out a water pump."
Weiss said the attack emanated from an IP address located in Russia.
"Minor glitches were observed in remote access to the Scada system for two to three months before it was identified as a cyber attack," he wrote.
The US Department of Homeland Security (DHS) sought to downplay the security concerns generated by Weiss's comments.
"DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield, Illinois," Peter Boogaard, a spokesman for the DHS, said in a statement given to CNET News. "At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety."
Scada is a class of widely used software for controlling industrial equipment. In 2010 a virus named Stuxnet appeared which sought to infect systems that managed centrifuges for refining nuclear fuel. Many security experts believed the virus's target was Iran's Natanz nuclear enrichment facility.
Many security companies worry that Stuxnet's code — which is available on the web — has spawned copycat viruses, including the information stealing Duqu trojan.