Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Attackers Alter Water Treatment Systems in Utility Hack: Report

Hackers breached a water utility and manipulated systems responsible for water treatment and flow control, Verizon said in a report released this month.

Hackers breached a water utility and manipulated systems responsible for water treatment and flow control, Verizon said in a report released this month.

Verizon’s data breach digest for March 2016 describes several attacks investigated by the company, including one aimed at the systems of an unnamed water utility referred to by Verizon as the Kemuri Water Company (KWC).

The water district had asked Verizon to conduct a proactive assessment as part of its efforts to keep systems and networks healthy, but experts soon discovered clear signs of malicious activity.

They immediately noticed that the organization had a poor security architecture, with Internet-facing systems plagued by high-risk vulnerabilities known to be exploited in the wild, and outdated operation technology (OT) systems that had been more than ten years old.

Learn More at the ICS Cyber Security Conference

The water utility’s SCADA platform was powered by an IBM AS/400 system, which was first introduced by the vendor in 1988. This system was used to connect both OT functions, such as the water district’s valve and flow control applications, and IT functions, such as financial systems that stored customer and billing information.

An analysis of KWC’s Internet traffic revealed that some IP addresses previously identified during the investigation of attacks carried out by hacktivists had connected to the targeted organization’s online payment application.

Verizon investigators believe the hackers exploited a vulnerability in the payment application web server. This server stored the internal IP address and admin credentials for the AS/400 system, from which the attackers are believed to have stolen 2.5 million records containing customer and payment information. Experts had not found any evidence to suggest that fraudulent activity had taken place on the compromised accounts.

Advertisement. Scroll to continue reading.

Since the compromised AS/400 system also ran valve and flow control applications used to manipulate the utility’s hundreds of programmable logic controllers (PLCs), the hackers managed to access this software and alter settings related to water flow and the amount of chemicals used to treat the water.

Investigators said they discovered four separate connections over a 60-day period leading up to their assessment.

“In at least two instances, they managed to manipulate the system and thus handicap water treatment and production capabilities so that the recovery time to replenish water supplies increased,” Verizon said in its data breach report. “Fortunately, based on alert functionality, KWC was able to quickly identify and reverse the chemical and flow changes, largely minimizing the impact on customers.”

Verizon pointed out that the attackers likely had little knowledge of how the flow control system worked — the attack could have had far more serious consequences if hackers had more time and more knowledge of the targeted industrial control systems (ICS).

“While it’s easy to want to believe all hackers and attackers are brilliant, talented and highly sophisticated computer geeks who have innate, unworldly skills that allow them to circumvent even the most secure digital systems in a flash, the reality is often different,” said Doug Wylie, VP of product marketing at ICS security firm NexDefense. “As shown by this report, the required skills needed to gain entry into this particular mission-critical system was much less impressive that what we might expect or typically see on TV.”

“The facts in the report do speak for themselves and it’s readily apparent the specific affected water utility was trapped in a past decade (or even two decades ago) in a time when they had little reason to expect their company, business operations or water control systems would ever become the desired target for a sophisticated cyber attack,” Wylie told SecurityWeek.

“While it would be nice to think this particular water utility affected by the breach is unique, having unicorn-like qualities, what was found in the water utility of interest in the Verizon report is likely more typical than unusual,” Wylie noted. “When company budgets are tight and production can’t stop, when perceived risks are misjudged and networked systems evolve uncontrollably over the span years and decades, the associated cybersecurity risks to these connected systems naturally increase.”

Related Reading: Critical Infrastructure Incidents Increased in 2015

Related Reading: ICS Security Firm Warns of Flaws in WirelessHART Devices

Related Reading: Agency Calls for Improved ICS Security in Europe

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...