Security Experts:

Connect with us

Hi, what are you looking for?



Attackers Alter Water Treatment Systems in Utility Hack: Report

Hackers breached a water utility and manipulated systems responsible for water treatment and flow control, Verizon said in a report released this month.

Hackers breached a water utility and manipulated systems responsible for water treatment and flow control, Verizon said in a report released this month.

Verizon’s data breach digest for March 2016 describes several attacks investigated by the company, including one aimed at the systems of an unnamed water utility referred to by Verizon as the Kemuri Water Company (KWC).

The water district had asked Verizon to conduct a proactive assessment as part of its efforts to keep systems and networks healthy, but experts soon discovered clear signs of malicious activity.

They immediately noticed that the organization had a poor security architecture, with Internet-facing systems plagued by high-risk vulnerabilities known to be exploited in the wild, and outdated operation technology (OT) systems that had been more than ten years old.

Learn More at the ICS Cyber Security Conference

The water utility’s SCADA platform was powered by an IBM AS/400 system, which was first introduced by the vendor in 1988. This system was used to connect both OT functions, such as the water district’s valve and flow control applications, and IT functions, such as financial systems that stored customer and billing information.

An analysis of KWC’s Internet traffic revealed that some IP addresses previously identified during the investigation of attacks carried out by hacktivists had connected to the targeted organization’s online payment application.

Verizon investigators believe the hackers exploited a vulnerability in the payment application web server. This server stored the internal IP address and admin credentials for the AS/400 system, from which the attackers are believed to have stolen 2.5 million records containing customer and payment information. Experts had not found any evidence to suggest that fraudulent activity had taken place on the compromised accounts.

Since the compromised AS/400 system also ran valve and flow control applications used to manipulate the utility’s hundreds of programmable logic controllers (PLCs), the hackers managed to access this software and alter settings related to water flow and the amount of chemicals used to treat the water.

Investigators said they discovered four separate connections over a 60-day period leading up to their assessment.

“In at least two instances, they managed to manipulate the system and thus handicap water treatment and production capabilities so that the recovery time to replenish water supplies increased,” Verizon said in its data breach report. “Fortunately, based on alert functionality, KWC was able to quickly identify and reverse the chemical and flow changes, largely minimizing the impact on customers.”

Verizon pointed out that the attackers likely had little knowledge of how the flow control system worked — the attack could have had far more serious consequences if hackers had more time and more knowledge of the targeted industrial control systems (ICS).

“While it’s easy to want to believe all hackers and attackers are brilliant, talented and highly sophisticated computer geeks who have innate, unworldly skills that allow them to circumvent even the most secure digital systems in a flash, the reality is often different,” said Doug Wylie, VP of product marketing at ICS security firm NexDefense. “As shown by this report, the required skills needed to gain entry into this particular mission-critical system was much less impressive that what we might expect or typically see on TV.”

“The facts in the report do speak for themselves and it’s readily apparent the specific affected water utility was trapped in a past decade (or even two decades ago) in a time when they had little reason to expect their company, business operations or water control systems would ever become the desired target for a sophisticated cyber attack,” Wylie told SecurityWeek.

“While it would be nice to think this particular water utility affected by the breach is unique, having unicorn-like qualities, what was found in the water utility of interest in the Verizon report is likely more typical than unusual,” Wylie noted. “When company budgets are tight and production can’t stop, when perceived risks are misjudged and networked systems evolve uncontrollably over the span years and decades, the associated cybersecurity risks to these connected systems naturally increase.”

Related Reading: Critical Infrastructure Incidents Increased in 2015

Related Reading: ICS Security Firm Warns of Flaws in WirelessHART Devices

Related Reading: Agency Calls for Improved ICS Security in Europe

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.


White hat hackers received $180,000 at Pwn2Own Miami 2023 for exploits targeting widely used ICS products.