Previously in the Sentryo Files we talked about a connected car hack and an attack on a pipeline. Now we will turn to a cyberattack on a water treatment plant.
In 2015, hackers hacked into a water treatment plant and took control of the chemical dosing system
In 2015, a water treatment plant was attacked as a result of a flaw in an online application that was connected to the industrial system. The attackers were able to access water treatment procedures and modify the levels of chemicals used for purification.
What really happened during this attack?
American company Verizon published a report in March 2016 listing nearly 500 incidents connected to cybersecurity that took place in 2015 in over 40 countries. Among these incidents was the cyberattack on Kemuri Water Company’s* (KWC) water treatment plant which could have had serious consequences.
KWC actually contacted Verizon after they noticed some changes in the production of drinking water over the course of several months. A security team intervened and discovered numerous flaws which people with malicious intentions could exploit to take control of, not one, but several major industrial processes.
Major security flaws
According to Verizon, “KWC was the perfect candidate for a data leak. Its internet interface had several high risk flaws which we know are often exploited.”
Furthermore, a single server was in charge of all data: an IBM AS/400, a series that dates back to 1988 and uses an operating system that is over 10 years old! As if that wasn’t bad enough, only one employee was in charge of the server so, when that employee wasn’t working, there was nobody who could issue an alert in the event of an attack!
The hackers took control of the online payment application and then gained access to all of KWC’s customers’ financial data. Along the way they were able to recover connection data for an administrator’s account and the IP address of the server managing the industrial process. That is how they were able to access the infrastructure control interface and modify the level of chemicals used in the water treatment process.
What were the consequences for the company?
First, the attackers were able to access the control parameters for the water treatment process and modify the level of chemicals used to purify water. Luckily, the culprits’ goal was not to put civilians in direct danger but just to steal financial information.
Thanks to the reactions of industrial teams and joint work with the IT teams, the industrial process was quickly restored to normal operations.
Because of these flaws in the access portal to the web server, the attackers managed to access 2.5 million customer files and their financial data, which, so far, do not seem to have been used.
How could the company have prevented this attack?
The situation that KWC had to confront could have easily been prevented. However, it’s not the first time that a water treatment plant has fallen victim to a hack. The Lansing Board Of Water & Light, victim of a ransomware attack in 2016, could also have avoided this cyberattack by implementing prevention solutions.
The lack of controls between the industrial system and the online payment system as well as a weak authentication and inadequate protection of passwords is what made KWC vulnerable to the cyberattacks.
The silver lining
First, Verizon explained that “if the attackers had had more time and more extensive knowledge of the industrial control system (SCADA), KWC and local civilians could have suffered some serious damage”.
Second, despite the large number of flaws, the IT and OT teams, which are not necessarily used to working together, were reactive and quickly engaged in dialogue to manage the situation.
Although this attack had minor consequences due to the hackers’ limited intentions, Verizon’s report underlines to what extent the security of industrial information systems must take priority for companies. Especially those that are faced with real environmental risks, the consequences of which could be much greater in the event of a cyberattack.
*The name and the country of origin were changed to protect the identity of the real company.