Hackers Breach Water Treatment Plant, Alter Chemicals in Water Supply


According to a recent report from Verizon Security Solutions, hackers recently compromised an unnamed water treatment plant's control system, The Register reports.

The hackers, who allegedly had ties to Syria, used SQL injection and phishing attacks to compromise the water company's operation control system, allowing them to adjust the valves and ducts controlling the flow of water and chemicals in the system.

"[T]he threat actors modified application settings with little apparent knowledge of how the flow control system worked," the Verizon report states. "In at least two instances, they managed to manipulate the system to alter the amount of chemicals that went into the water supply and thus handicap water treatment and production capabilities so that the recovery time to replenish water supplies increased."

The breach also exposed the personal information of the water company's 2.5 million customers, though there's no evidence that the data was used maliciously.

Tripwire senior directory of security research and development Lamar Bailey told eSecurity Planet by email that poor designs and misconfigurations often lead to security incidents like these. "An entity can purchase all the security products in the world and acquire the best staff available, but if the network has gaping holes in the perimeter or DMZ machines have unfettered access to the secure side of the network it is only a matter of time before an attack succeeds," he said.

Monzy Merza, director of cyber research at Splunk, said attackers often target the low-hanging fruit present in outdated systems. "We continue to see infrastructure systems being targeted because they are generally under-resourced or believed to be out of band or not connected to the Internet," he said.

"Beyond the clear need to invest in intrusion detection, prevention, patch management and analytics-driven security measures, this breach underscores the importance of actionable intelligence," Merza added. "Reports like Verizon's are important sources of insight. Organizations must leverage this information to collectively raise the bar in security to better detect, prevent and respond to advanced attacks. Working collectively is our best route to getting ahead of attackers."

Still, the McAfee Labs Threat Report [PDF] for March 2016, based on a survey of 500 cyber security professionals, found that only 42 percent of respondents make use of shared cyber threat intelligence (CTI).

When asked why they hadn't yet implemented shared CTI in their enterprises, the most common responses were corporate policy (54 percent) and industry regulations (24 percent).

Sixty-three percent of respondents said they might be willing to go beyond just receiving CTI to contributing their own data, as long as it can be done within a secure and private platform. When asked what types of threat data they'd be willing to share, the most common responses were the behavior of malware (72 percent), URL reputations (58 percent), external IP address reputations (54 percent), certificate reputations (43 percent), and file reputations (37 percent).

"Given the determination demonstrated by cybercriminals, CTI sharing will become an important tool in tilting the cybersecurity balance of power in favor of defenders," Vincent Weafer, vice president of Intel Security's McAfee Labs group, said in a statement. "But our survey suggests that high-value CTI must overcome the barriers of organizational policies, regulatory restrictions, risks associated with attribution, trust and a lack of implementation knowledge before its potential can be fully realized."

A recent eSecurity Planet article examined the benefits and challenges of sharing threat intelligence.