A water treatment plant in New York was one of the latest victims of hackers, according to Verizon’s latest Data Breach Digest. The hackers breached the industrial control system of the water company, changing its valve and flow settings along the way.
Verizon was approached by the unnamed water district, asking them to evaluate their networks for breaches in their security. There were no signs of unauthorized access, with the assessment being a proactive measure in an effort to keep the systems and networks in shape.
Verizon focused on the company’s IT infrastructure which had numerous functions, some of which were: supporting end users and corporate functions; and Operational Technology (OT) systems, which was the center of distribution, control, and metering of the region’s water supply.
The assessment by Verizon led to discovery of a number of high-risk vulnerabilities in the system while the OT side relied too much on computers that ran on operating systems that were more than a decade old.
A good number of critical OT and IT functions were being run on a single IBM AS/400 system, designated by the company as its Supervisory Control and Data Acquisition (SCADA) platform. It was responsible for the water district’s valve and flow control application which regulated hundreds of programmable logic controllers (PLCs), stored customer billing information, and the company’s financial records.
Hackers changed the controllers which manage the amount of chemicals used to treat water to make it potable.
Discussions with the IT system team showed alarming concerns as unexplained activity in the valve and duct movements over a 60-day period were deemed suspicious. Verizon noticed that the movements in the valve and duct systems included the amount of chemicals used to treat the water to make it potable, and the rate of water flow in the system – disrupting the water distribution in the area.
IP addresses that were previously used by hacktivist attacks showed up on an analysis of the log of the company’s internet traffic, even connecting to the online payment application part of the system.
Verizon stated that they “found a high probability that any unauthorized access on the payment application would also expose sensitive information housed on the AS/400 system.” They also determined that the hackers had gone through a loophole in the payment application, resulting in the attainment of customer data. According to the investigation, there were no confirmed instances of fraud committed through the stolen accounts.
Taking of the customers’ information was not the full scope of the hack. With the same process used in the payment app system, the hacktivists were able to manipulate the valve and flow system that also ran on the AS/400 infrastructure.
The hackers were able to control the system in a way that the amount of chemicals that went into the water was altered, resulting in a delay to the recovery time for the water supplies to replenish. Because of the alerts, the water facility was able to reverse the malicious actions while also minimizing any negative or harmful impact to the customers. Verizon added that there were no clear motives from the attacks, while the water company has taken more protective measures to protect their systems.
Verizon concluded their report on the hacking by saying that the outdated systems and missing patches contributed to the data breach. The lack of isolation of critical assets, weak authentication mechanisms and unsafe practices enabled the hackers to gain easier access to the system. While the company’s alert functionality helped in detecting the changes done by the hackers, a “layered defense-in-depth strategy” would have detected the attack much earlier – maybe even preventing it from happening.
Comprehensive multi-device protection for you and your family for up to 6 PCs, Macs, Android, and iOS devices. For more info click here.