Verizon Security Solutions has released a report detailing how a group of hackers were able to gain access to a water treatment plant and alter the levels of chemicals used to treat tap water.
This is the latest in a growing trend of cyberattacks against utility companies following an attack on three power companies in the Ukraine in December, 2015 and an attack on Israel's Electricity Authority in January of this year.
Verizon Security Solutions is Verizon's own cybersecurity division that deals with cybersecurity threats to large enterprises. The company has decided not to release the name of the water company that was attacked or the country it was located in due to the fact that the hackers were also able to gain access to the personal and financial records of 2.5 million customers. For that reason, the report refers to the water company using the false name “Kemuri Water Company” (KWC).
An outdated operating system and server were what allowed the hackers to gain access to the water treatment facility. The KWC was using only one IBM Application System/400 (AS/400) server which was released in 1988 to connect both its internal IT network along with the operational technology systems that manage the facility's controls to the internet. To make matters worse, only one employee at the company knew how to operate the ancient server.
KWC requested that Verizon examine its system after its IT department detected that an outside party had gained unauthorised access to its system. Two months prior, the company also noticed a pattern of unexplained valve and duct movements that were affecting hundreds of Programmable Logic Controllers (PLCs). The PLCs regulate the amount of chemicals used in treating water and the flow rate of water at the plant.
The breach exploited a vulnerability in KWC's web accessible payment system and used it to access the company's web servers. Verizon traced the IP addresses of the hackers and realised that they had previously been involved in hacktivist campaigns.
The hackers most likely did not realise that they had access to the records of 2.5 million customers or that they were affecting the chemicals used to treat water. If they had, a great more damage could have been done financially and many of the plants customers could have become ill from mistreated water.
As cyberattacks are growing in number and severity, it is important for companies in all fields to ensure that they are fully prepared to deal with these threats.
Using outdated software and hardware may save money in the short term but in the long term it could hurt a company's finances as well as its reputation.