News Feature | March 30, 2016

Hackers Infiltrate Water Plant, Modify Chemical Levels

Sara Jerome

By Sara Jerome,
@sarmje

Hackers infiltrated the control system at a water treatment plant and managed to manipulate the level of chemicals being used at the facility, according to recent reports.

The news comes from a report by Verizon Security Solutions, the phone giant’s cybersecurity arm, as reported by the International Business Times.

“Verizon states in its latest report that a group of hackers who have been previously associated with hacktivism campaigns succeeded in breaching a water treatment facility,” International Business Times reported.

“Due to the sensitive nature of the breach, which gave the hackers access to the personal and financial records of over 2.5 million customers, Verizon is not releasing the name of the water company or the country it resides in, referring to the company by the fake moniker ‘Kemuri Water Company’ (KWC),” the report said.

The breach occurred in part because the water company was using outdated software. The operating system running its entire IT network relied on an IBM system dating back to the ‘80s.

“This server was used to connect not just the firm's internal IT network but also the operational technology (OT) systems that controls the water treatment facility, which managed the water supply and metering water usage for a number of neighbouring counties, and best of all, only one employee in the whole company was capable of dealing with the ancient AS/400 system,” International Business Times reported.

Unusual movements at valves and ducts tipped the water company off that they should call in Verizon’s experts.

“The hackers breached the KWC's systems by exploiting a vulnerability in the web-accessible payments system and using it to get into the company's web server. Verizon's researchers realized that the IP addresses of the attackers corresponded with those of hackers who had previously carried out hactivist campaigns, and it is thought that the hackers' motives might concern Syria, so perhaps these hackers are affiliated with a larger hacking collective,” International Business Times reported.

The fallout from the hack was not as bad as it could have been. The water company reversed chemical and flow changes before any customers became ill.

“Fortunately, based on alert functionality, KWC was able to quickly identify and reverse the chemical and flow changes, largely minimising the impact on customers. No clear motive for the attack was found,” Verizon’s report said, per The Register.

“The researchers say... it is very likely that the hackers didn't even realize that they were manipulating tap water chemical levels as the way they modified application settings showed very little knowledge of how the flow control system worked,” International Business Times reported.

To read more about utility security issues, visit Water Online’s Resiliency Solutions Center.