Water Treatment Plant Hacked, Chemical Mix Changed for Tap Supplies
March 25th, 2016Wow! They don’t say where this supposedly happened.
Via: Register:
Hackers infiltrated a water utility’s control system and changed the levels of chemicals being used to treat tap water, we’re told.
The cyber-attack is documented in this month’s IT security breach report (available here, registration required) from Verizon Security Solutions. The utility in question is referred to using a pseudonym, Kemuri Water Company, and its location is not revealed.
A “hacktivist” group with ties to Syria compromised Kemuri Water Company’s computers after exploiting unpatched web vulnerabilities in its internet-facing customer payment portal, it is reported.
The hack – which involved SQL injection and phishing – exposed KWC’s ageing AS/400-based operational control system because login credentials for the AS/400 were stored on the front-end web server. This system, which was connected to the internet, managed programmable logic controllers (PLCs) that regulated valves and ducts that controlled the flow of water and chemicals used to treat it through the system. Many critical IT and operational technology functions ran on a single AS400 system, a team of computer forensic experts from Verizon subsequently concluded.
…
The same hack also resulted in the exposure of personal information of the utility’s 2.5 million customers. There’s no evidence that this has been monetised or used to commit fraud.
Nonetheless, the whole incident highlights the weaknesses in securing critical infrastructure systems, which often rely on ageing or hopelessly insecure setups.
Wow! I used to use an AS/400 in high school and I’m pretty old.
“It seems the activists lacked either the knowledge of SCADA systems or the intent to do any harm.”
I’m betting on the latter. This is just laying the pipe for any future operations.