Cyber criminals were able to hack a water treatment plant and gain access to not only the personal and financial records of up to 2.5 million customers, but the system that controls the levels of chemicals used to treat drinking water.

Cyber security firm Verizon Security Solutions reported that the hackers may have changed the chemical levels of the tap water provided by the unnamed water plant (nicknamed Kemuri Water Company (KWC) in the report) up to four times during the attack. The report suggested that the hackers may not have realised the extent to which they had infiltrated the plant’s system, or that they had never intended to commit any harm, as there is no evidence that the personal and financial records accessed were exposed or otherwise monetised. Fortunately, the water company was able to identify and reverse the alterations made to the chemical levels before the drinking water was affected, but the cyber-attack could easily have posed real danger to the community.

“KWC’s breach was serious and could have easily been more critical. If the threat actors had a little more time, and with a little more knowledge of the ICS/SCADA (industrial control system / supervisory control and data acquisition) KWC and the local community could have suffered serious consequences,” Verizon’s report found.

Commenting on the report, Monzy Merza, Splunk’s director of cyber research and chief security evangelist, said that: “Dedicated and opportunistic attackers will continue to exploit low-hanging fruit present in outdated or unpatched systems. We continue to see infrastructure systems being targeted because they are generally under-resourced or believed to be out of band or not connected to the internet.”

Outdated operating systems vulnerable to attack

The breach happened because the water company had been using an operating system that was a decade old (some speculated it was Windows XP) and relied on a single IBM Application System server that was released in 1988. The hackers took advantage of vulnerabilities in the company’s web-accessible payments system, and because the payment system was on the same server as the water treatment facility’s operational technology, they were then able to access the water supply and metering water usage systems. The company’s vulnerability was further compounded by the fact that just one employee was able to deal with the archaic system.

“Having internet facing servers, especially web servers, directly connected to SCADA management systems is far from a best practice,” continued Merza. “Many issues like outdated systems and missing patches contributed to the data breach — the lack of isolation of critical assets, weak authentication mechanisms and unsafe practices of protecting passwords also enabled the threat actors to gain far more access than should have been possible.”

It is vital that companies maintain up-to-date technology and follow robust cyber security best practices in order to avoid a potentially catastrophic cyber-attack.

About VinciWorks

Cyber-security starts with organisational culture. VinciWorks can raise cyber awareness in your organisation with eLearning courses including Information Security and Data Protection. Get in touch today and protect your business from cyber-crime.