Cyber security breach could have poisoned water for millions

Cyber criminals were able to hack a water treatment plant and gain access to not only the personal and financial records of up to 2.5 million customers, but the system that controls the levels of chemicals used to treat drinking water.

Cyber security firm Verizon Security Solutions reported that the hackers may have changed the chemical levels of the tap water provided by the unnamed water plant (nicknamed Kemuri Water Company (KWC) in the report) up to four times during the attack. The report suggested that the hackers may not have realised the extent to which they had infiltrated the plant’s system, or that they had never intended to commit any harm, as there is no evidence that the personal and financial records accessed were exposed or otherwise monetised. Fortunately, the water company was able to identify and reverse the alterations made to the chemical levels before the drinking water was affected, but the cyber-attack could easily have posed real danger to the community.

“KWC’s breach was serious and could have easily been more critical. If the threat actors had a little more time, and with a little more knowledge of the ICS/SCADA (industrial control system / supervisory control and data acquisition) KWC and the local community could have suffered serious consequences,” Verizon’s report found.

Commenting on the report, Monzy Merza, Splunk’s director of cyber research and chief security evangelist, said that: “Dedicated and opportunistic attackers will continue to exploit low-hanging fruit present in outdated or unpatched systems. We continue to see infrastructure systems being targeted because they are generally under-resourced or believed to be out of band or not connected to the internet.”

Outdated operating systems vulnerable to attack

The breach happened because the water company had been using an operating system that was a decade old (some speculated it was Windows XP) and relied on a single IBM Application System server that was released in 1988. The hackers took advantage of vulnerabilities in the company’s web-accessible payments system, and because the payment system was on the same server as the water treatment facility’s operational technology, they were then able to access the water supply and metering water usage systems. The company’s vulnerability was further compounded by the fact that just one employee was able to deal with the archaic system.

“Having internet facing servers, especially web servers, directly connected to SCADA management systems is far from a best practice,” continued Merza. “Many issues like outdated systems and missing patches contributed to the data breach — the lack of isolation of critical assets, weak authentication mechanisms and unsafe practices of protecting passwords also enabled the threat actors to gain far more access than should have been possible.”

It is vital that companies maintain up-to-date technology and follow robust cyber security best practices in order to avoid a potentially catastrophic cyber-attack.

About VinciWorks

Cyber-security starts with organisational culture. VinciWorks can raise cyber awareness in your organisation with eLearning courses including Information Security and Data Protection. Get in touch today and protect your business from cyber-crime.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”