The future of our city services? Cyberattackers target core water systems

In a recent case, cyberattackers have demonstrated that breaches are not limited to corporate targets.
Written by Charlie Osborne, Contributing Writer

A group of cyberattackers have shown how weak security has the potential to cripple urban areas worldwide.

The services we rely on every day but often don't think about until a bill is popped through the post -- electricity, water and gas -- keep Western cities running. Without them, businesses would collapse and our daily lives would be very, very different.

But are utilities taking enough care to protect these core services from abuse? Perhaps not, considering a recent case recounted by Verizon's cybersecurity RISK team.

In Verizon's latest breach digest for March 2016 (.PDF), the telecommunications firm recounts an incident the Verizon RISK lab took part in with a client.

The RISK team conducts hundreds of cybersecurity investigations and audits per year, and in this case, the customer -- known only as the Kemuri Water Company (KWC) -- needed help with assessing their networks for indications of a security breach.

KWC supplies a core service to neighbouring countries; namely, the supply and metering of water. While KWC was originally "adamant" that infrastructure was secure and there was no evidence of any cyberattack, it did not take long for RISK to find out this was not the case.

According to Verizon, the water supplier's networks were riddled with critical vulnerabilities often exploited in the wild, and the company's systems were based on antiquated PCs running on operating systems which were at least 10 years old.

What was even worse is that KWC ran many critical functions off one single 1988 IBM AS400 system, known as the "Scada platform," which also functioned as a router with direct connections in to other networks.

The Scada platform also ran the water district's valve and control operations, housed the sensitive information of customers and billing data, and the company's financial accounts.

"If a data breach were to occur at KWC, this SCADA platform would be the first place to look," Verizon says.

The investigation revealed that the firm's management team were actually aware of possible unauthorised access into the operation technology (OT) systems of the water district, since unusual valve and duct movements had taken place over a period of 60 days.

The water supply's control systems had been manipulated, causing disruptions to supply and flow rate -- and more dangerously, the amount of chemicals pumped into the water which makes it safe to drink was also manipulated.

The security team discovered that hacktivists were able to take advantage of Internet-facing vulnerabilities to access the network through a payment application, granting them access to a wealth of information. RISK says:

"Access to customer water usage, PII and payment data required only a username and password. No second authentication factor was needed. Next, we found a direct cable connection between the application and the AS400 system.
Making matters worse, the AS400 system had open access to the internet and its internal IP address and administrative credentials were found on the payment application webserver in clear text."

While there is no evidence that customer data -- reaching 2.5 million records -- has been exploited, the researchers believe this was never the intention, anyway. Instead, the hacktivists were focused on disrupting water supplies.

KWC and Verizon are working together to fix the problems archaic technology, lax security and poor patching practices have caused -- but the situation could have been far worse. If the cyberattackers had a mind to, they could have ended up poisoning a country's water supplies with potentially fatal results.

The water supplier got lucky. This is the reality of how important security is in today's networked world, and it is not only the enterprise which needs to sit up and take note. A corporate data breach can ruin reputations and cost companies and clients financially, but a security breach taking place at a utility can have far more damaging results.

10 steps to learn how to hack

Read on: Top picks

Editorial standards