Almost one year ago, on Feb. 8, 2021, public officials from the city of Oldsmar, Florida, held a press conference to disclose what they called “an unlawful intrusion into the city’s water treatment system.” An unnamed hacker had connected to TeamViewer software on the workstation connected to the water treatment controls and significantly raised the levels of lye in the area’s drinking water. Fortunately, an astute plant employee noticed the workstation’s cursor seemingly moving of its own volition and performing unauthorized tasks, and the attack was thwarted.
While the last year has shown just how vulnerable critical infrastructure is to motivated threat actors – with multiple attacks on water/wastewater, oil pipelines, and the food and beverage industry – the alarm was raised well before that. One such attack was disclosed in March 2016 when Verizon’s data breach digest described a hit on an unnamed water facility it called the Kemuri Water Company. They used this pseudonym due to the sensitive nature of the breach, where hackers took advantage of outdated systems and poor cyber hygiene to access 2.5 million financial records and to manipulate the area’s water supply.
Like Oldsmar, this attack was halted before it endangered human health and safety, but it’s clear operational technology (OT) systems are at risk. At the hands of a savvier attacker, this sort of event could be calamitous.
The Kemuri Water Company attack
In the months prior to reporting the breach, the Kemuri Water Company’s IT team had begun noticing signs of a security breach – namely, valve and duct movements that were impacting many of the plant’s programmable logic controllers (PLCs). These PLCs are used to manage water flow rate and to control the chemical treatment of the water supply, making it drinkable.
Verizon Security Solutions is the telecommunications giant’s cybersecurity arm and is often enlisted by companies to help manage cybersecurity threats. When Verizon started looking into Kemuri, “They immediately noticed that the organization had a poor security architecture, with Internet-facing systems plagued by high-risk vulnerabilities known to be exploited in the wild, and outdated operation technology systems that had been more than 10 years old,” according to an article in Security Week.
Verizon said the attack happened because the company’s information technology (IT) network was using operating systems that were more than a decade old, and the supervisory control and data acquisition (SCADA) platform was powered by an ancient IBM AS/400 system released back in 1988. This IBM server was so outdated only one employee in the entire plant could operate it properly. It connected to both the plant’s IT network (thus the financial records) and OT systems (controlling the water treatment facility and water supply for surrounding areas).
The Verizon researchers believed the threat actors were able to get into the plant, and the IBM AS/400 system, via a vulnerability in the payment application web server. But because the AS/400 also controlled valve and flow control, the hackers were able to cross breach, jumping from the IT side to the OT side.
In their report, Verizon pointed out that while the attackers managed to gain access to more than 2.5 million customer records and were able to manipulate aspects of the area’s water system – making the attack potentially dangerous – they likely didn’t realize what they were doing. Similar to Oldsmar, these hackers were unskilled in the ways of industrial control systems and possibly did not have malicious intentions toward the water supply.
That’s the rub with attacking most OT systems: Attackers need to understand how they work to create real chaos.
The Kemuri Water Company was able to remediate the changes made to the water supply, and the customer impact was minimal. But the insecurity of the plant’s networks could have led to far more serious consequences, including risk to human safety.
“KWC’s breach was serious and could have easily been more critical. If the threat actors had a little more time, and with a little more knowledge of the ICS/SCADA system, KWC and the local community could have suffered serious consequences,” Verizon’s researchers wrote in the report.
“Having internet facing servers, especially web servers, directly connected to SCADA management systems is far from a best practice. Many issues like outdated systems and missing patches contributed to the data breach — the lack of isolation of critical assets, weak authentication mechanisms and unsafe practices of protecting passwords also enabled the threat actors to gain far more access than should have been possible.”
Despite the lack of real-world damage done in the Kemuri Water Company incident, it’s essential for critical national infrastructure assets to be proactive about their cyber hygiene and take the threat from outside seriously. It’s been proven time and again their systems are vulnerable.