Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Modify Water Treatment Parameters By Accident (softpedia.com)

Posted by msmash on from the water-getting-hack-treatment dept.

An anonymous reader writes: Verizon's RISK security team has revealed details on a data breach they investigated where some hackers (previously tied to hacktivism campaigns) breached a payments application from an unnamed water treatment and supply company [PDF, page 38], and also escalated their access to reach SCADA equipment responsible for the water treatment process. The hackers modified water treatment chemical levels four different times. The cause of this intrusion seems to be bad network design, since all equipment was interconnected with each other in a star network design, and the payments app contained an INI file with the administrative password for the central router, from where the hackers reached the water treatment SCADA equipment. Of course, the hackers had no clue what they were modifying. Nobody got poisoned or sick in the end.

3 of 139 comments (clear)

  1. sounds like classic industrial control networks by dot_bull · · Score: 3, Interesting

    I've rarely seen a classic "control system" (HVAC, security, wet and dry lab systems, anything with modems and 9600kbps transmission, ANSI screens, etc) be configured in anything BUT 1980's architecture. These industrial control systems are so old and embedded no one has the money or incentive to remove them and install modern tech. And most of them are archaic, and so incredibly vulnerable it can make a person lose sleep. Think yet another "tip of the iceberg"moment. Think water control, sewage control, electrical control, alarms control, traffic light control. NOT ALL, but the majority are hopelessly insecure and controlled by people who use FAX machines. Anything installed before 2000 or so (the majority) are childlike in design and harbor absolutely no notion of security.

  2. Re:"Nobody got poisoned or sick in the end." by Anonymous Coward · · Score: 1, Interesting

    I distill my tap water before drinking it, using one of these.

    That doesn't solve this problem, of course, but it does give me an extra layer of protection against failings of the water treatment process.

    Contrary to strangely-popular belief, distilled water is only barely acidic (thousands of times less acidic than soda pop, slightly less acidic than a banana), and does not leech minerals from your body. It's water. It is perfectly healthy, and it tastes good.

  3. Re:cleartext passwords by NatasRevol · · Score: 3, Interesting

    4) IT management rarely has any understanding of risks associated with IT designs/constraints. Even when explained to them.

    --
    There are two types of people in the world: Those who crave closure