Recently in March 2016 , Verizon investigated several cyber attacks according to their data breach digest, including one aimed at the systems of an unnamed water utility referred as Kemuri Water Company.
The water district had consulted Verizon to be vigilant of the system as a precautionary measure, but later Verizon confirmed that the system is already faulty and had already suffered malicious attacks.
According to them , the organisation has a poor system defence architecture which is very vulnerable to internet threats and was operating on very outdated operation technology(OT) which is assumed to be more than ten years old.
The water utility's SCADA platform was operated by an IBM AS/400 system, which was introduced by the vendor in 1988, the system was used to connect both OT functions such as water district's valve and flow control applications and IT functions, and IT functions such as financial systems and billing information.
Experts believed that the hackers exploited vulnerability in payment application as the server contained credentials for AS/400 systems and estimated that 2.5 million records containing customer and payment information has been stolen.
The hackers were also able to manipulate programmable logic controllers, as they had AS/400 admin credentials and therefore manipulated settings related to water flow and the amount of chemicals used for the treatment of water.
Verizon in its data breach report said “In at least two instances, they managed to manipulate the system and thus handicap water treatment and production capabilities so that the recovery time to replenish water supplies increased,Fortunately, based on alert functionality, KWC was able to quickly identify and reverse the chemical and flow changes, largely minimizing the impact on customers.”
Verizon made clear that the hackers had less time and knowledge of the water system to exploit and thus were not able to do much damage which could have been more dangerous otherwise if they had more time and were more skilled.
In the reports it was said that the attackers were not so geek and they required very less skill to get into the system and do the damage.
Wylie from verizon said "When company budgets are tight and production can’t stop, when perceived risks are misjudged and networked systems evolve uncontrollably over the span years and decades, the associated cybersecurity risks to these connected systems naturally increase.”