South Carolina Water Company Cyber Attack, CEO "Fairly Certain" No Comprise Occurred

If the CEO is only "fairly certain" no corporate data has been compromised there is a major problem. Approximately ten days have elapsed since the attack occurred so there should be no uncertainty at this point:

The cyber-attack on Greenville Water triggered a payment system outage that began on Wednesday, January 22. Company spokesperson Emerald Clark said 500,000 customers were affected by the incident.

An investigation has been launched into the cyber-attack, the exact nature of which is yet to be revealed by Greenville Water. It's not yet known who targeted the water company or from where the attack was launched.

Greenville Water CEO David Bereskin said he was "fairly certain" that the utility's data had not been compromised as a result of the incident.

This sounds reassuring:

In the statement, Clark said that the incident "has not and will not impact or compromise the safety and delivery of water that is treated and maintained by our facilities."

When asked for comment on the cyber-attack by the Greenville News, Greenville County government affairs coordinator Bob Mihalic stated only that "Greenville County uses multiple methods of protecting data, hardware, and infrastructure from potential cyber-attacks."

The statement is mere obfuscation. It would be easy to state unequivocally the operational network where the industrial control systems and SCADA for the water treatment facility reside are air-gapped, and therefore not physically connected to the business network - a security best practice for sensitive, mission critical networks. Since Bob Mihalic failed to mention this point it makes me wonder if, in fact, the networks are connected and therefore lateral movement to the OT network is possible.