Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Attackers Alter Water Treatment Systems in Utility Hack: Report

Hackers breached a water utility and manipulated systems responsible for water treatment and flow control, Verizon said in a report released this month.

Hackers breached a water utility and manipulated systems responsible for water treatment and flow control, Verizon said in a report released this month.

Verizon’s data breach digest for March 2016 describes several attacks investigated by the company, including one aimed at the systems of an unnamed water utility referred to by Verizon as the Kemuri Water Company (KWC).

The water district had asked Verizon to conduct a proactive assessment as part of its efforts to keep systems and networks healthy, but experts soon discovered clear signs of malicious activity.

They immediately noticed that the organization had a poor security architecture, with Internet-facing systems plagued by high-risk vulnerabilities known to be exploited in the wild, and outdated operation technology (OT) systems that had been more than ten years old.

Learn More at the ICS Cyber Security Conference

The water utility’s SCADA platform was powered by an IBM AS/400 system, which was first introduced by the vendor in 1988. This system was used to connect both OT functions, such as the water district’s valve and flow control applications, and IT functions, such as financial systems that stored customer and billing information.

An analysis of KWC’s Internet traffic revealed that some IP addresses previously identified during the investigation of attacks carried out by hacktivists had connected to the targeted organization’s online payment application.

Verizon investigators believe the hackers exploited a vulnerability in the payment application web server. This server stored the internal IP address and admin credentials for the AS/400 system, from which the attackers are believed to have stolen 2.5 million records containing customer and payment information. Experts had not found any evidence to suggest that fraudulent activity had taken place on the compromised accounts.

Advertisement. Scroll to continue reading.

Since the compromised AS/400 system also ran valve and flow control applications used to manipulate the utility’s hundreds of programmable logic controllers (PLCs), the hackers managed to access this software and alter settings related to water flow and the amount of chemicals used to treat the water.

Investigators said they discovered four separate connections over a 60-day period leading up to their assessment.

“In at least two instances, they managed to manipulate the system and thus handicap water treatment and production capabilities so that the recovery time to replenish water supplies increased,” Verizon said in its data breach report. “Fortunately, based on alert functionality, KWC was able to quickly identify and reverse the chemical and flow changes, largely minimizing the impact on customers.”

Verizon pointed out that the attackers likely had little knowledge of how the flow control system worked — the attack could have had far more serious consequences if hackers had more time and more knowledge of the targeted industrial control systems (ICS).

“While it’s easy to want to believe all hackers and attackers are brilliant, talented and highly sophisticated computer geeks who have innate, unworldly skills that allow them to circumvent even the most secure digital systems in a flash, the reality is often different,” said Doug Wylie, VP of product marketing at ICS security firm NexDefense. “As shown by this report, the required skills needed to gain entry into this particular mission-critical system was much less impressive that what we might expect or typically see on TV.”

“The facts in the report do speak for themselves and it’s readily apparent the specific affected water utility was trapped in a past decade (or even two decades ago) in a time when they had little reason to expect their company, business operations or water control systems would ever become the desired target for a sophisticated cyber attack,” Wylie told SecurityWeek.

“While it would be nice to think this particular water utility affected by the breach is unique, having unicorn-like qualities, what was found in the water utility of interest in the Verizon report is likely more typical than unusual,” Wylie noted. “When company budgets are tight and production can’t stop, when perceived risks are misjudged and networked systems evolve uncontrollably over the span years and decades, the associated cybersecurity risks to these connected systems naturally increase.”

Related Reading: Critical Infrastructure Incidents Increased in 2015

Related Reading: ICS Security Firm Warns of Flaws in WirelessHART Devices

Related Reading: Agency Calls for Improved ICS Security in Europe

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.