Hackers infiltrated a water utility’s control system and changed the levels of chemicals being used to treat tap water, we’re told.
The cyber-attack is documented in this month’s IT security breach report (available here, registration required) from Verizon Security Solutions. The utility in question is referred to using a pseudonym, Kemuri Water Company, and its location is not revealed.
A “hacktivist” group with ties to Syria compromised Kemuri Water Company’s computers after exploiting unpatched web vulnerabilities in its internet-facing customer payment portal, it is reported.
The hack – which involved SQL injection and phishing – exposed KWC’s ageing AS/400-based operational control system because login credentials for the AS/400 were stored on the front-end web server. This system, which was connected to the internet, managed programmable logic controllers (PLCs) that regulated valves and ducts that controlled the flow of water and chemicals used to treat it through the system. Many critical IT and operational technology functions ran on a single AS400 system, a team of computer forensic experts from Verizon subsequently concluded.
I work in the IT field and most local government utilities are ran by idiots. They have no concept on security of any type and are too cheap and too ignorant to listen to anyone. Here is an example. A sheriff department left there wireless access point open because they found it too hard to remember the key. You could litterly browse all their documents (which had no permissions set) from the town square sitting in your car. This happened on more than once even after being told about the risks.