Verizon security report reveals possible risks to citizens if utilities are hijacked, after water treatment tampered with several times during attack
A recent cyber-attack has highlighted the worrying gaps in the cybersecurity of utility companies, which could be hijacked with potentially lethal results.
A report from Verizon found at least one example where hackers were able to access the computer systems of a water treatment plant and affect the treating process, exposing people to potential health risks by drinking polluted water.
The Verizon 2015 Data Breach Investigations digest said that the criminals were able to access the system and change the levels of chemicals being used to treat tap water four times during a prolonged cyberattack.
The company affected was not named by Verizon, which gave it the codename Kemuri Water Company (KWC) to protect its identity and allow it to continue to operate and provide drinking water.
Luckily, KWC was able to identify and reverse the chemical and flow changes in time, but the attack raised worries about utility company security.
“KWC’s breach was serious and could have easily been more critical. If the threat actors had a little more time, and with a little more knowledge of the ICS/SCADA system, KWC and the local community could have suffered serious consequences,” Verizon’s report said.
Verizon blamed the attack on KWC’s use of outdated operating systems across its network, most probably Windows XP, and the fact that the company’s entire IT network relied on a single ancient IBM Application System/400 (AS/400) server, released back in 1988, which was the responsibility of a single employee at the company.
The hackers were able to breach KWC’s systems by exploiting a vulnerability in the web-accessible payments system, which allowed them to access the company’s web server. This connected not only the firm’s internal IT network but also the operational technology (OT) systems that controlled the water treatment facility, which managed the water supply and metering water usage for a number of neighbouring counties.
“Having internet facing servers, especially web servers, directly connected to SCADA management systems is far from a best practice,” the report added.
“Many issues like outdated systems and missing patches contributed to the data breach — the lack of isolation of critical assets, weak authentication mechanisms and unsafe practices of protecting passwords also enabled the threat actors to gain far more access than should have been possible.”
Verizon’s report is the first to explicitly detail the risks to water companies, but other utility areas have previously come under attack in the past.
Most notably, last December parts of Ukraine were left without power following a malware attack on a power plant in the country.
Blamed on Russian hackers, the attack on left parts of western Ukraine, including regional capital Ivano-Frankivsk, without power, power company Prykarpattyaoblenergo said at the time.
Security experts also reported in 2014 that a number of energy companies in the US, Spain, France, Italy, Germany, Turkey and Poland had been compromised by a group called Dragonfly, thought to be based in Russia.
Are you a security pro? Try our quiz!